CVE-2026-37978: Keycloak Information Disclosure Flaw

CVE-2026-37978 Overview

CVE-2026-37978 is an authorization flaw in Keycloak that allows a low-privilege administrator holding the view-clients role to access user data belonging to other realm users. The vulnerability resides in the evaluate-scopes Admin API endpoints, which fail to validate that the supplied userId parameter corresponds to a user the caller is authorized to inspect. Attackers can iterate arbitrary user identifiers and harvest personally identifiable information (PII), identity attributes, and authorization data across the realm. The weakness is tracked as CWE-639: Authorization Bypass Through User-Controlled Key and is exploitable remotely over the network.

Critical Impact

A view-clients administrator can enumerate user IDs against the evaluate-scopes endpoints to extract cross-tenant PII and authorization mappings without any user interaction.

Affected Products

• Red Hat build of Keycloak (see RHSA-2026:19596)
• Red Hat Single Sign-On (see RHSA-2026:19597)
• Upstream Keycloak deployments exposing the Admin API

Discovery Timeline

• 2026-05-19 - CVE-2026-37978 published to NVD
• 2026-05-20 - Last updated in NVD database

Technical Details for CVE-2026-37978

Vulnerability Analysis

Keycloak exposes Admin REST endpoints under evaluate-scopes that compute the effective scopes and claims a given user would receive for a specific client. These endpoints accept a userId query parameter and return resolved identity attributes, role mappings, and claim payloads. The server checks that the caller holds the view-clients role on the client being evaluated, but it does not enforce that the caller may also view the target user.

A caller with only view-clients can therefore pass any realm user identifier and receive token-equivalent data describing that user. The response surface includes username, email, profile attributes, and assigned roles. Because the view-clients role is commonly delegated to integration and operations staff, the privilege boundary it implies is broken by this behavior.

Root Cause

The defect is a missing authorization check on a user-controlled key, matching the [CWE-639] pattern. The endpoint authorizes the operation against the client scope but not against the user record dereferenced by userId. Authorization decisions consider only the role granted on the client object and skip per-user access evaluation.

Attack Vector

An authenticated administrator with view-clients issues authenticated HTTP requests to the Admin API. By varying the userId parameter, the attacker enumerates users and collects PII and authorization data. No user interaction is required, and the attack can be scripted to harvest the entire realm. The vulnerability description and technical details are documented in the Red Hat CVE analysis for CVE-2026-37978 and Red Hat Bug Report #2455327.

Detection Methods for CVE-2026-37978

Indicators of Compromise

• Bursts of Admin API requests to paths containing evaluate-scopes from a single administrator session.
• Sequential or high-cardinality variation of the userId parameter from one caller within a short time window.
• Admin API access tokens belonging to service accounts that hold only view-clients but query user-scoped endpoints.

Detection Strategies

• Enable Keycloak admin event logging and alert on evaluate-scopes invocations correlated with the calling principal's role set.
• Baseline normal userId access patterns per administrator and flag deviations such as enumeration sequences.
• Cross-reference Admin API audit logs with HR or directory data to detect lookups against users outside the caller's business scope.

Monitoring Recommendations

• Forward Keycloak admin and event logs to a centralized SIEM with retention sufficient for retroactive hunts.
• Track unique userId values queried per session and alert when thresholds are exceeded.
• Monitor for unexpected client or service-account usage of the evaluate-scopes endpoints outside change windows.

How to Mitigate CVE-2026-37978

Immediate Actions Required

• Apply the Red Hat updates published in RHSA-2026:19596 and RHSA-2026:19597 as soon as maintenance windows permit.
• Audit which principals hold the view-clients role and remove the assignment from accounts that do not require it.
• Review Admin API access logs for prior evaluate-scopes calls and investigate any cross-user enumeration.

Patch Information

Red Hat has released fixed packages for Red Hat build of Keycloak and Red Hat Single Sign-On. Refer to the vendor advisories RHSA-2026:19596 and RHSA-2026:19597 for fixed version numbers and upgrade procedures. Upstream Keycloak operators should track the corresponding fix in the project release notes referenced by the Red Hat CVE page.

Workarounds

• Restrict network access to the Keycloak Admin API to trusted management networks and bastions.
• Reduce administrator role grants so that view-clients is assigned only to operators who already have realm-wide user visibility.
• Place a reverse proxy or API gateway in front of the Admin API to rate-limit and audit evaluate-scopes requests until patching is complete.

# Configuration example: restrict Admin API exposure via reverse proxy (nginx)
location ~* /admin/realms/[^/]+/clients/[^/]+/evaluate-scopes {
    allow 10.0.0.0/8;       # management network only
    deny all;
    limit_req zone=admin_api burst=5 nodelay;
    proxy_pass http://keycloak_upstream;
}