PatchSiren cyber security CVE debrief
CVE-2026-37981 Red Hat CVE debrief
CVE-2026-37981 describes a broken access control flaw in Keycloak’s Account Resources user lookup endpoint. A remote authenticated user who owns at least one User-Managed Access (UMA) resource can send crafted requests with arbitrary usernames or email values and receive full profile objects for unrelated realm users. The result is broad disclosure of personally identifiable information (PII) across the realm.
- Vendor
- Red Hat
- Product
- Red Hat build of Keycloak 26.4
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Organizations running Keycloak, especially deployments that use UMA and expose the Account Resources user lookup endpoint to authenticated users. Identity and access management teams, platform operators, and security teams should treat this as a privacy-impacting information disclosure issue.
Technical summary
The supplied CVE description states that the endpoint’s access control checks are insufficient for the lookup operation. Instead of limiting results to the requesting user or authorized relationships, the endpoint can return full profile objects for other realm users when queried with arbitrary username or email values. The NVD record classifies the issue as network-reachable, low-complexity, requiring low-privilege authentication, with no user interaction and no impact to integrity or availability. The provided weakness mapping is CWE-1220 and the CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.
Defensive priority
Medium — prioritize review if Keycloak and UMA are in use, because the issue can expose PII broadly to authenticated users even though it does not affect integrity or availability.
Recommended defensive actions
- Review Keycloak deployments for use of the Account Resources user lookup endpoint and UMA-enabled user populations.
- Restrict access to identity and account-management functions to the minimum necessary authenticated roles until vendor guidance is applied.
- Monitor authentication and account-lookup activity for unusual username/email enumeration patterns and repeated profile queries.
- Track the Red Hat security advisory and bug tracker references for vendor remediation guidance and any fixed release information.
- Validate whether exposed profile fields include sensitive attributes beyond basic display data and reduce returned attributes where possible.
Evidence notes
All material facts are taken from the supplied CVE description and the NVD source item metadata. The CVE description says the flaw is in Keycloak and allows a remote authenticated user with at least one UMA resource to enumerate and harvest PII for all realm users via crafted username or email requests. The NVD metadata supplies the CVSS vector, severity context, and CWE-1220 mapping. Red Hat advisory and Bugzilla references are present in the source corpus, but no fix version or patch details were supplied here.
Official resources
Publicly disclosed in the CVE record on 2026-05-19T12:16:18.463Z.