CVE-2026-3190

MEDIUM

Keycloak: keycloak: information disclosure via improper role enforcement in uma 2.0 protection api

Title source: cna

Description

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.

References (4)

[Vdb Entry, X_Refsource_Redhat] https://access.redhat.com/security/cve/CVE-2026-3190

[Issue Tracking, X_Refsource_Redhat] https://bugzilla.redhat.com/show_bug.cgi?id=2442572

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:6477

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:6478

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 9.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-280

Status published

Products (8)

org.keycloak/keycloak-model-jpa 0 - 26.5.6Maven

org.keycloak/keycloak-server-spi-private 0 - 26.5.6Maven

org.keycloak/keycloak-services 0 - 26.5.6Maven

Red Hat/Red Hat Build of Keycloak

Red Hat/Red Hat build of Keycloak 26.4 26.4-14

Red Hat/Red Hat build of Keycloak 26.4 26.4.11-1

Red Hat/Red Hat build of Keycloak 26.4.11

redhat/build_of_keycloak

Published Mar 26, 2026

Tracked Since Mar 27, 2026