CVE-2026-3190

MEDIUM

Keycloak: keycloak: information disclosure via improper role enforcement in uma 2.0 protection api

Title source: cna
STIX 2.1

Description

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.

References (4)

Core 4
Core References
Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-3190
Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat
RHBZ#2442572
https://bugzilla.redhat.com/show_bug.cgi?id=2442572
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:6477
https://access.redhat.com/errata/RHSA-2026:6477
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:6478
https://access.redhat.com/errata/RHSA-2026:6478

Scores

CVSS v3 4.3
EPSS 0.0032
EPSS Percentile 23.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-280
Status published
Products (8)
org.keycloak/keycloak-model-jpa 0 - 26.5.6Maven
org.keycloak/keycloak-server-spi-private 0 - 26.5.6Maven
org.keycloak/keycloak-services 0 - 26.5.6Maven
Red Hat/Red Hat Build of Keycloak
Red Hat/Red Hat build of Keycloak 26.4 26.4-14
Red Hat/Red Hat build of Keycloak 26.4 26.4.11-1
Red Hat/Red Hat build of Keycloak 26.4.11
redhat/build_of_keycloak
Published Mar 26, 2026
Tracked Since Mar 27, 2026