CVE-2026-37978

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw in the Admin API allows a low-privilege administrator with the 'view-clients' role to cause cross-role personally identifiable information (PII) leakage. By invoking the 'evaluate-scopes' endpoint with an arbitrary userId parameter, an attacker can gain unauthorized visibility into user identities and authorizations across the realm. This issue is exploitable remotely via network access to the Admin API.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.