Skip to content

CVE-2026-3190 - Information Disclosure via improper role enforcement in UMA 2.0 Protection API #46723

Closed
cve
#46901
Closed
CVE-2026-3190 - Information Disclosure via improper role enforcement in UMA 2.0 Protection API#46723
cve
#46901
Assignees
pedroigor
Labels
area/corekind/cveIssues identified as CVEs on third-party dependencies, or issues which Keycloak is not affectedpriority/importantMust be worked on very soonrelease/26.4.11release/26.5.6release/26.6.0team/core-iam
@ahus1

Description

@ahus1
ahus1
opened on Mar 2, 2026

Description

https://issues.redhat.com/browse/RHBK-4311

The issue was rated as Moderate. This flaw in Keycloak allows information disclosure due to improper role enforcement in the UMA 2.0 Protection API. An authenticated user with a token issued for a resource server client, even without the uma_protection role, can enumerate all permission tickets in the system.

Metadata

Metadata

Assignees

Labels

area/corekind/cveIssues identified as CVEs on third-party dependencies, or issues which Keycloak is not affectedpriority/importantMust be worked on very soonrelease/26.4.11release/26.5.6release/26.6.0team/core-iam

Type

cve

Fields

No fields configured for cve.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions