Skip to main content

Keycloak. An CVE-2026-3911

LOW
Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)
2026-03-11 secalert@redhat.com GHSA-xh32-c9wx-phrp
Information Disclosure
2.7
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 11, 2026 - 06:17 nvd
LOW 2.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 43 maven packages depend on org.keycloak:keycloak-services (15 direct, 28 indirect)

Ecosystem-wide dependent count for version 26.5.5.

DescriptionNVD

A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.

AnalysisAI

A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-3911 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy