What is GHSA-933f-rg6j-f46p?

GHSA-933f-rg6j-f46p is a security advisory published by GitHub Security Advisories with Medium severity. A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user...

Which CVE IDs does GHSA-933f-rg6j-f46p cover?

GHSA-933f-rg6j-f46p covers the following CVE IDs: CVE-2026-37981. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-933f-rg6j-f46p?

GHSA-933f-rg6j-f46p has a CVSS v3 base score of 4.3, published by GitHub Security Advisories.

GHSA-933f-rg6j-f46pMediumCVSS 4.3

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user...

Vendor

GitHub Security Advisories

Published

May 19, 2026

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-37981 →

📋 Description

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-37981
https://access.redhat.com/security/cve/CVE-2026-37981
https://bugzilla.redhat.com/show_bug.cgi?id=2455326
https://github.com/advisories/GHSA-933f-rg6j-f46p