CVE-2026-3911 Overview
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
Critical Impact
Authenticated users with limited administrative privileges can bypass attribute visibility controls and access hidden user data, potentially exposing sensitive personal information configured to be restricted.
Affected Products
- Keycloak (specific versions not disclosed)
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-3911 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-3911
Vulnerability Analysis
This vulnerability is classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor). The flaw exists within Keycloak's UserResource component, which handles user management operations within the administrative console.
The vulnerability allows authenticated users who possess the view-users role to circumvent the attribute visibility configuration settings. Keycloak provides administrators the ability to mark certain user attributes as hidden, preventing them from being displayed or retrieved through normal administrative interfaces. However, this vulnerability creates a bypass condition where these hidden attributes can still be retrieved through specific administrative API endpoints.
The attack requires network access and authenticated privileges with the view-users role, which limits the attack surface to users who already have some level of administrative access to the Keycloak realm.
Root Cause
The root cause lies in improper access control enforcement within the UserResource component. While Keycloak correctly validates that a user has the view-users role before allowing access to user data, it fails to properly filter out attributes that have been configured as hidden. This results in a gap between the configured attribute visibility policy and the actual enforcement of that policy when processing certain administrative requests.
Attack Vector
The attack is network-based and requires an authenticated session with the view-users role. An attacker would need to:
- Authenticate to Keycloak with valid credentials for an account that has the view-users role assigned
- Access the specific administrative endpoint within the UserResource component
- Retrieve user data that includes hidden attributes which should not be visible to their access level
The vulnerability enables horizontal information disclosure, allowing users with limited view permissions to see data beyond their authorized scope. For additional technical details, refer to the Red Hat CVE-2026-3911 Advisory and Red Hat Bug Report #2446392.
Detection Methods for CVE-2026-3911
Indicators of Compromise
- Unusual access patterns to user management API endpoints from accounts with view-users role
- Audit log entries showing retrieval of user attributes that should be hidden based on realm configuration
- Increased API calls to UserResource endpoints from service accounts or administrative users
Detection Strategies
- Monitor Keycloak audit logs for access to user attribute endpoints by users with limited administrative roles
- Implement alerting for API requests that return hidden attribute values
- Review access control configurations to identify users with view-users role who may be potential threat actors
- Deploy network traffic analysis to detect anomalous patterns in administrative API usage
Monitoring Recommendations
- Enable comprehensive audit logging for all administrative operations in Keycloak
- Configure alerts for bulk user data retrieval operations
- Implement regular review of users assigned the view-users role to ensure principle of least privilege
- Monitor for unusual access times or IP addresses accessing administrative endpoints
How to Mitigate CVE-2026-3911
Immediate Actions Required
- Review and audit all users currently assigned the view-users role
- Remove the view-users role from accounts that do not require it
- Implement network segmentation to restrict access to Keycloak administrative endpoints
- Enable enhanced audit logging to track access to user data
Patch Information
Red Hat has acknowledged this vulnerability. Organizations should monitor the Red Hat CVE-2026-3911 Advisory for patch availability and update to the patched version of Keycloak as soon as it becomes available. Check Red Hat Bug Report #2446392 for tracking information on the fix.
Workarounds
- Restrict assignment of the view-users role to only essential personnel who require it
- Implement additional network-level access controls to limit who can reach Keycloak administrative APIs
- Consider implementing API gateway rate limiting and monitoring for administrative endpoints
- Review and minimize the sensitive data stored in user attributes where possible
# Example: Audit users with view-users role using Keycloak Admin CLI
# List all users with admin roles for review
kcadm.sh get roles/view-users/users -r YOUR_REALM
# Review realm-level role assignments
kcadm.sh get roles -r YOUR_REALM | grep -A 5 "view-users"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
