CVE-2026-37978: Keycloak: Information Disclosure via evaluate-scopes Admin API
(updated )
A flaw was found in Keycloak. A low-privilege administrator with the ‘view-clients’ role can exploit this by invoking the ’evaluate-scopes’ Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.
References
- access.redhat.com/errata/RHSA-2026:19596
- access.redhat.com/errata/RHSA-2026:19597
- access.redhat.com/security/cve/CVE-2026-37978
- bugzilla.redhat.com/show_bug.cgi?id=2455327
- github.com/advisories/GHSA-rrv7-3mqf-hxfr
- github.com/keycloak/keycloak/commit/492d1f04cdad425dadb9d5e1faa94dd17a875573
- github.com/keycloak/keycloak/commit/ba9a18744dcec2ef46f284d25c1c0aa1c962a500
- nvd.nist.gov/vuln/detail/CVE-2026-37978
Code Behaviors & Features
Detect and mitigate CVE-2026-37978 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →