CVE-2026-3190

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw exists in Keycloak where the User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets does not properly enforce the uma protection role check. This allows any authenticated user possessing a token issued for a resource server client, even without the necessary uma protection role, to list all permission tickets within the system, potentially leading to information disclosure. The vulnerable API endpoint is /uma-protection/permission-tickets. The uma protection role is not being verified before allowing access to enumerate permission tickets.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.