CVE-2026-37981 Overview
CVE-2026-37981 is a broken access control vulnerability in Keycloak's Account Resources user lookup endpoint. The flaw allows a remote authenticated user who owns at least one User-Managed Access (UMA) resource to enumerate profile data for all realm users. By submitting crafted requests containing arbitrary usernames or email values, the endpoint returns full profile objects for unrelated accounts. The issue is tracked under CWE-1220: Insufficient Granularity of Access Control and leads to broad profile-level personally identifiable information (PII) disclosure across the realm.
Critical Impact
Authenticated users with a single UMA resource can harvest PII for every user in the Keycloak realm, enabling downstream phishing, account targeting, and identity correlation attacks.
Affected Products
- Red Hat build of Keycloak (see RHSA-2026:19596)
- Red Hat Single Sign-On / Keycloak distributions referenced in RHSA-2026:19597
- Upstream Keycloak deployments exposing the Account Resources API
Discovery Timeline
- 2026-05-19 - CVE-2026-37981 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-37981
Vulnerability Analysis
The vulnerability resides in the Account Resources user lookup endpoint, which exposes profile lookups to clients that interact with User-Managed Access resources. The endpoint enforces authentication and a coarse-grained check that the caller owns at least one UMA resource. It does not enforce a relationship between the caller and the queried user. As a result, any authenticated principal meeting the UMA ownership precondition can submit lookup requests for usernames or email addresses they do not own. The endpoint returns full profile objects, including attributes that should remain restricted to administrators or the user themselves.
This behavior maps directly to CWE-1220, insufficient granularity of access control. The endpoint conflates resource ownership with authorization to perform cross-user profile queries.
Root Cause
The authorization logic checks that the requester holds a UMA resource but does not validate that the requester is authorized to read the target user's profile. The lookup handler uses caller-supplied identifiers as direct lookup keys against the user store. Profile serialization then returns attributes intended for the owning user or privileged administrators.
Attack Vector
An attacker authenticates to Keycloak as a low-privilege realm user. The attacker creates or already owns at least one UMA resource, satisfying the precondition. The attacker then issues authenticated HTTP requests to the Account Resources user lookup endpoint, iterating through guessed or harvested usernames and email addresses. Each successful request returns a complete profile object. Repeated requests enable bulk PII harvesting across the realm. Refer to the Red Hat CVE analysis and Bugzilla #2455326 for vendor technical details.
Detection Methods for CVE-2026-37981
Indicators of Compromise
- High-volume authenticated requests from a single principal to the Account Resources user lookup endpoint with varying username or email query parameters.
- Account Resources API responses returning profile objects for users unrelated to the requesting session.
- Sequential or dictionary-style enumeration patterns in Keycloak access logs originating from non-administrative accounts.
Detection Strategies
- Parse Keycloak access logs for repeated GET calls to the Account Resources user lookup path with distinct identifier parameters from the same sub claim.
- Correlate UMA resource creation events with subsequent bursts of user lookup requests by the same principal.
- Alert on any non-admin account that retrieves profile data for more than a small threshold of distinct users within a short window.
Monitoring Recommendations
- Forward Keycloak server and audit logs to a centralized SIEM and apply enumeration heuristics on the Account Resources endpoint.
- Track UMA resource ownership distributions and flag principals whose lookup volume diverges from baseline behavior.
- Monitor outbound traffic from application clients consuming Keycloak APIs for unexpected bulk profile retrieval patterns.
How to Mitigate CVE-2026-37981
Immediate Actions Required
- Apply the fixes published in RHSA-2026:19596 and RHSA-2026:19597 to affected Keycloak and Red Hat build of Keycloak deployments.
- Audit existing UMA resource ownership and revoke unused or stale resources to reduce the population of accounts that satisfy the vulnerable precondition.
- Review Keycloak access logs retroactively for enumeration patterns against the Account Resources user lookup endpoint.
Patch Information
Red Hat has published security errata addressing CVE-2026-37981. Administrators should install the updated Keycloak packages referenced in RHSA-2026:19596 and RHSA-2026:19597. Consult the Red Hat CVE page for version-specific guidance and component mappings.
Workarounds
- Restrict network exposure of the Account Resources API to trusted client applications until patches are applied.
- Disable or limit UMA functionality at the realm level if the feature is not required by production workflows.
- Enforce rate limiting and anomaly detection on the Account Resources user lookup endpoint through an upstream reverse proxy or API gateway.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
