CVE-2026-3911

A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2026:6477
https://access.redhat.com/errata/RHSA-2026:6478
https://access.redhat.com/security/cve/CVE-2026-3911
https://bugzilla.redhat.com/show_bug.cgi?id=2446392

Configurations

No configuration.

History

02 Apr 2026, 14:16

Type	Values Removed	Values Added
Summary		(es) Se encontró una falla en Keycloak. Un usuario autenticado con el rol view-users podría explotar una vulnerabilidad en el componente UserResource. Al acceder a un endpoint administrativo específico, este usuario podría recuperar indebidamente atributos de usuario que estaban configurados para estar ocultos. Esta revelación de información no autorizada podría exponer datos de usuario sensibles.
References		() https://access.redhat.com/errata/RHSA-2026:6477 - () https://access.redhat.com/errata/RHSA-2026:6478 -

11 Mar 2026, 06:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 06:17

Updated : 2026-04-02 14:16

NVD link : CVE-2026-3911

Mitre link : CVE-2026-3911

CVE.ORG link : CVE-2026-3911

JSON object : View

Products Affected

No product.

CWE

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

2.7 /10