keycloak: org.keycloak.authorization: Keycloak: Information disclosure via broken access control in user lookup endpoint

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access UMA resource, to enumerate and harvest personally identifiable information PII for all realm users. By...

CVE-2026-37981

Keycloak CVE-2026-37981 describes a broken access control in the Account Resources user lookup endpoint, where a remote authenticated user owning at least one UMA resource can enumerate and harvest PII for all realm users by sending crafted requests with arbitrary usernames or emails. The endpoin...

EUVD-2026-30881

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access UMA resource, to enumerate and harvest personally identifiable information PII for all realm users. By...

CVE-2026-37981 Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access control in user lookup endpoint

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access UMA resource, to enumerate and harvest personally identifiable information PII for all realm users. By...