PatchSiren cyber security CVE debrief
CVE-2026-37978 Red Hat CVE debrief
CVE-2026-37978 describes a Keycloak issue where a low-privilege administrator with the 'view-clients' role can call the 'evaluate-scopes' Admin API endpoints with an arbitrary userId. That can expose personally identifiable information and authorization details for users beyond the caller’s intended scope, enabling cross-role information disclosure across the realm. The CVE was published on 2026-05-19 and updated on 2026-05-20; the supplied NVD record was still marked 'Undergoing Analysis' at the time of the source snapshot.
- Vendor
- Red Hat
- Product
- Red Hat build of Keycloak 26.4
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Keycloak operators, IAM/security teams, and administrators who delegate admin roles or expose the Keycloak Admin API to network-reachable management users should pay attention, especially where 'view-clients' or similar delegated privileges are in use.
Technical summary
The supplied CVE description says a low-privilege administrator with the 'view-clients' role can invoke 'evaluate-scopes' Admin API endpoints with an arbitrary userId parameter. That creates a remote, network-reachable path to cross-role PII leakage and unauthorized visibility into user identities and authorizations within a realm. The NVD vector provided is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N (4.9 Medium), and the cited weakness is CWE-639.
Defensive priority
Medium priority. The issue is confidentiality-focused rather than integrity or availability impacting, but it should be prioritized in environments where the Admin API is reachable and delegated administrator roles are common.
Recommended defensive actions
- Apply vendor-provided remediation from the referenced Red Hat advisories as soon as it is available for your deployment.
- Review who has the 'view-clients' role and remove or minimize delegated admin access where it is not strictly needed.
- Restrict network access to the Keycloak Admin API to trusted management networks and administrative identities only.
- Audit use of the 'evaluate-scopes' Admin API and monitor for unexpected requests involving arbitrary or cross-user userId values.
- Review affected realms for unnecessary exposure of user identity or authorization data and rotate or narrow administrative privileges where appropriate.
Evidence notes
This debrief is based only on the supplied CVE description, the NVD CVSS vector, the CWE-639 classification, and the referenced Red Hat advisory/bug links. No affected version range was included in the supplied corpus, so version-specific impact is not asserted here. The vendor metadata in the source item is low-confidence, but the vulnerability text and references identify Keycloak as the affected product.
Official resources
Public disclosure appears in the CVE record on 2026-05-19, with a follow-up update on 2026-05-20. The source set includes Red Hat security references and a Bugzilla link, while the NVD record was still marked 'Undergoing Analysis' in the as