CVE-2026-3190 MEDIUM

CVE-2026-3190: Keycloak: keycloak: information disclosure via improper role enforcement in uma 2.0 protection api

Vendor Red Hat
Product Red Hat build of Keycloak 26.4.11
Weakness CWE-280
Published March 26, 2026
Last update April 2, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.

Key dates

02Disclosure timeline

March 26, 2026 CVE published
April 2, 2026 Record updated