Fluid Attacks Database

Description

Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the uma_protection role check. This allows any authenticated user with a token issued for a resource server client, even without the uma_protection role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-server-spi-private	>=0 <26.5.6	26.5.6
maven	org.keycloak:keycloak-model-jpa	>=0 <26.5.6	26.5.6
maven	org.keycloak:keycloak-services	>=0 <26.5.6	26.5.6

Aliases

1. CVE-2026-31902. NVD-2026-31903. OSV-2026-31904. GCVE-2026-31905. access.redhat.com6. access.redhat.com7. ACCESS-CVE-2026-3190

References

1. https://github.com/keycloak/keycloak/issues/467232. https://github.com/keycloak/keycloak/commit/f1baf25cbb1551202570f954102eb2d270ab06943. https://bugzilla.redhat.com/show_bug.cgi?id=2442572