CVE-2026-37978

medium

Description

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.

References

Advisories
More

https://access.redhat.com/errata/RHSA-2026:19597

https://access.redhat.com/errata/RHSA-2026:19596

https://bugzilla.redhat.com/show_bug.cgi?id=2455327

https://access.redhat.com/security/cve/CVE-2026-37978

Details

Source: Mitre, NVD

Published: 2026-05-19

Updated: 2026-05-20

Risk Information

CVSS v2

Base Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 4.9

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00026