A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.
References
| Link | Resource |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:19596 | Vendor Advisory |
| https://access.redhat.com/errata/RHSA-2026:19597 | Vendor Advisory |
| https://access.redhat.com/security/cve/CVE-2026-37978 | Vendor Advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=2455327 | Vendor Advisory |
Configurations
History
03 Jun 2026, 20:04
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://access.redhat.com/errata/RHSA-2026:19596 - Vendor Advisory | |
| References | () https://access.redhat.com/errata/RHSA-2026:19597 - Vendor Advisory | |
| References | () https://access.redhat.com/security/cve/CVE-2026-37978 - Vendor Advisory | |
| References | () https://bugzilla.redhat.com/show_bug.cgi?id=2455327 - Vendor Advisory | |
| First Time |
Redhat
Redhat build Of Keycloak |
|
| CPE | cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:* |
20 May 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
20 May 2026, 12:16
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
19 May 2026, 12:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-19 12:16
Updated : 2026-06-03 20:04
NVD link : CVE-2026-37978
Mitre link : CVE-2026-37978
CVE.ORG link : CVE-2026-37978
JSON object : View
Products Affected
redhat
- build_of_keycloak
CWE
CWE-639
Authorization Bypass Through User-Controlled Key