CVE-2026-37978EPSS p31.4%

CVE-2026-37978CVE-2026-37978

redhat / build_of_keycloak

Description

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.

Scoring

CVSS 4.9 ()
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS0.40% probability of exploitation · percentile 31.4% · 2026-06-18T12:00:27Z
Last modified2026-06-03

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-37981
CVE
CVE-2026-9795
CVE
CVE-2026-37979
CVE
CVE-2026-9088
CVE
CVE-2026-9791
CVE
CVE-2026-11577
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.