Security Advisory

CVE-2026-3190

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-26 19:12:38

Last updated 2026-04-02 16:39:39

Assigner redhat

State PUBLISHED

Description

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.

← Browse all CVEs View on cve.org ↗