A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.
{
"github_reviewed_at": "2026-06-04T15:26:30Z",
"nvd_published_at": "2026-05-19T12:16:17Z",
"github_reviewed": true,
"cwe_ids": [
"CWE-639"
],
"severity": "MODERATE"
}