CVE-2026-37978

medium

Published 2026-05-19 · Modified 2026-06-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

4.9

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

4.9

Description

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.

Predictions

Exploit likelihood

59%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description keycloak: org.keycloak.services: Keycloak: Information Disclosure via evaluate-scopes Admin API Red Hat statement This is a Moderate impact vulnerability affecting Red Hat Build of Keycloak (RHBK). A low-privilege administrator with the `view-clients` role can exploit the `evaluate-scopes` Admin API endpoints to disclose sensitive user profile and role data. This allows unauthorized…

Description

keycloak: org.keycloak.services: Keycloak: Information Disclosure via evaluate-scopes Admin API

Red Hat statement

This is a Moderate impact vulnerability affecting Red Hat Build of Keycloak (RHBK). A low-privilege administrator with the `view-clients` role can exploit the `evaluate-scopes` Admin API endpoints to disclose sensitive user profile and role data. This allows unauthorized visibility into user identities and authorizations across the realm, requiring network access to the Admin API for exploitation.

CVSS v3: 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat build of Keycloak 26.4	`rhbk/keycloak-operator-bundle:26.4.12-1`	RHSA-2026:19597	2026-05-20T00:00:00Z
Red Hat build of Keycloak 26.4	`rhbk/keycloak-rhel9:26.4-17`	RHSA-2026:19597	2026-05-20T00:00:00Z
Red Hat build of Keycloak 26.4	`rhbk/keycloak-rhel9-operator:26.4-17`	RHSA-2026:19597	2026-05-20T00:00:00Z
Red Hat build of Keycloak 26.4.12	`rhbk/keycloak-rhel9`	RHSA-2026:19596	2026-05-20T00:00:00Z

Apply commands

bash fix

Apply RHSA-2026:19597 for Red Hat build of Keycloak 26.4

yum update -y rhbk/keycloak-operator-bundle:26
# or:
dnf upgrade -y rhbk/keycloak-operator-bundle:26

Application impact

Vendor	Product	Versions	Fixed
redhat	build_of_keycloak	`{"endExcluding":"26.4.12"}`	`26.4.12`

References

CWEs

CWE-639

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.