{"api_version":"1","generated_at":"2026-06-10T13:42:40+00:00","cve":"CVE-2026-3911","urls":{"html":"https://cve.report/CVE-2026-3911","api":"https://cve.report/api/cve/CVE-2026-3911.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-3911","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-3911"},"summary":{"title":"Org.keycloak.services.resources.admin.userresource: keycloak: information disclosure of disabled user attributes via administrative endpoint","description":"A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.","state":"PUBLISHED","assigner":"redhat","published_at":"2026-03-11 06:17:15","updated_at":"2026-05-07 18:30:50"},"problem_types":["CWE-359","NVD-CWE-noinfo","CWE-359 Exposure of Private Personal Information to an Unauthorized Actor"],"metrics":[{"version":"3.1","source":"secalert@redhat.com","type":"Secondary","score":"2.7","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N","baseScore":2.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"2.7","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":2.7,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:6478","name":"https://access.redhat.com/errata/RHSA-2026:6478","refsource":"secalert@redhat.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-3911","name":"https://access.redhat.com/security/cve/CVE-2026-3911","refsource":"secalert@redhat.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2446392","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2446392","refsource":"secalert@redhat.com","tags":["Issue Tracking"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:6477","name":"https://access.redhat.com/errata/RHSA-2026:6477","refsource":"secalert@redhat.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-3911","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3911","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","version":"unaffected 26.4.11-1 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","version":"unaffected 26.4-14 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","version":"unaffected 26.4-14 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4.11","version":"","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-03-11T03:30:01.455Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2026-03-11T03:30:00.000Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Red Hat would like to thank drak3hft7 for reporting this issue.","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"3911","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"build_of_keycloak","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"text-only","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"3911","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"build_of_keycloak","cpe6":"26.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"3911","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"build_of_keycloak","cpe6":"26.4.11","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"3911","cve":"CVE-2026-3911","epss":"0.000120000","percentile":"0.017560000","score_date":"2026-05-12","updated_at":"2026-05-13 00:11:54"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-3911","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-11T14:03:16.868337Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-11T14:04:06.063Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"affected","packageName":"rhbk/keycloak-operator-bundle","product":"Red Hat build of Keycloak 26.4","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"26.4.11-1","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"affected","packageName":"rhbk/keycloak-rhel9","product":"Red Hat build of Keycloak 26.4","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"26.4-14","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"affected","packageName":"rhbk/keycloak-rhel9-operator","product":"Red Hat build of Keycloak 26.4","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"26.4-14","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"unaffected","packageName":"rhbk/keycloak-rhel9","product":"Red Hat build of Keycloak 26.4.11","vendor":"Red Hat"}],"credits":[{"lang":"en","value":"Red Hat would like to thank drak3hft7 for reporting this issue."}],"datePublic":"2026-03-11T03:30:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Low"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":2.7,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-359","description":"Exposure of Private Personal Information to an Unauthorized Actor","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-02T16:47:22.731Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"name":"RHSA-2026:6477","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6477"},{"name":"RHSA-2026:6478","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6478"},{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-3911"},{"name":"RHBZ#2446392","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2446392"}],"timeline":[{"lang":"en","time":"2026-03-11T03:30:01.455Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-03-11T03:30:00.000Z","value":"Made public."}],"title":"Org.keycloak.services.resources.admin.userresource: keycloak: information disclosure of disabled user attributes via administrative endpoint","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-359: Exposure of Private Personal Information to an Unauthorized Actor"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2026-3911","datePublished":"2026-03-11T05:36:43.743Z","dateReserved":"2026-03-11T03:32:12.979Z","dateUpdated":"2026-04-02T16:47:22.731Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-11 06:17:15","lastModifiedDate":"2026-05-07 18:30:50","problem_types":["CWE-359","NVD-CWE-noinfo","CWE-359 Exposure of Private Personal Information to an Unauthorized Actor"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N","baseScore":2.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*","matchCriteriaId":"1830E455-7E11-4264-862D-05971A42D4A6"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:*:*:*:*","matchCriteriaId":"3C8F3485-92CB-4F23-A35A-AAA444FDF39E"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:build_of_keycloak:26.4.11:*:*:*:*:*:*:*","matchCriteriaId":"F8B6CCB7-EDF2-41EA-A097-18340D5D03DE"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"3911","Ordinal":"1","Title":"Org.keycloak.services.resources.admin.userresource: keycloak: in","CVE":"CVE-2026-3911","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"3911","Ordinal":"1","NoteData":"A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.","Type":"Description","Title":"Org.keycloak.services.resources.admin.userresource: keycloak: in"}]}}}