EUVD-2026-16309
GHSA-q35r-vvhv-vx5h
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 26 maven packages depend on org.keycloak:keycloak-model-jpa (3 direct, 23 indirect)
- 54 maven packages depend on org.keycloak:keycloak-server-spi-private (22 direct, 32 indirect)
- 44 maven packages depend on org.keycloak:keycloak-services (16 direct, 28 indirect)
Ecosystem-wide dependent count for version 26.5.6 and other introduced versions.
DescriptionCVE.org
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the uma_protection role check. This allows any authenticated user with a token issued for a resource server client, even without the uma_protection role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.
AnalysisAI
Keycloak's User-Managed Access (UMA) 2.0 Protection API fails to enforce role-based access control on the permission tickets endpoint, allowing any authenticated user with a resource server client token to enumerate all permission tickets regardless of authorization level. This information disclosure vulnerability affects Red Hat Build of Keycloak across multiple versions and requires valid authentication to exploit, posing a moderate risk to multi-tenant environments where ticket enumeration could expose sensitive access control data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) indicates a network-accessible vulnerability requiring low-privilege authentication with low attack complexity, resulting in confidentiality impact but no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with valid credentials for any resource server client (for example, a low-privilege application integrated with Keycloak) obtains a bearer token via the OAuth 2.0 client credentials flow. The attacker then makes HTTP requests to the UMA 2.0 permission tickets endpoint, deliberately omitting or spoofing the `uma_protection` role requirement. … |
| Remediation | Consult Red Hat's security advisory at https://access.redhat.com/security/cve/CVE-2026-3190 and apply the vendor-released patch or upgrade to a patched version of Red Hat Build of Keycloak as specified in the advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
Debian
Bug #1088287| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
Share
External POC / Exploit Code
Leaving vuln.today