Low severity2.7GHSA Advisory· Published Mar 11, 2026· Updated May 7, 2026
CVE-2026-3911
CVE-2026-3911
Description
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | <= 26.5.5 | — |
Affected products
11cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:build_of_keycloak:26.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*
- osv-coords7 versionspkg:apk/chainguard/keycloak-26.5pkg:apk/chainguard/keycloak-26.5-iamguarded-compatpkg:apk/chainguard/keycloak-fips-26.5pkg:apk/chainguard/keycloak-fips-26.5-iamguarded-fipspkg:apk/wolfi/keycloak-26.5pkg:apk/wolfi/keycloak-26.5-iamguarded-compatpkg:maven/org.keycloak/keycloak-services
< 26.5.6-r0+ 6 more
- (no CPE)range: < 26.5.6-r0
- (no CPE)range: < 26.5.6-r0
- (no CPE)range: < 26.5.6-r0
- (no CPE)range: < 26.5.6-r0
- (no CPE)range: < 26.5.6-r0
- (no CPE)range: < 26.5.6-r0
- (no CPE)range: <= 26.5.5
Patches
Vulnerability mechanics
References
9- access.redhat.com/errata/RHSA-2026:6477nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2026:6478nvdVendor AdvisoryWEB
- access.redhat.com/security/cve/CVE-2026-3911nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-xh32-c9wx-phrpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-3911ghsaADVISORY
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingWEB
- github.com/keycloak/keycloak/commit/215bc1e27230f2a66670ed70262248b5f5254eb9ghsaWEB
- github.com/keycloak/keycloak/issues/46922ghsaWEB
- github.com/keycloak/keycloak/pull/46923ghsaWEB
News mentions
0No linked articles in our index yet.