Keycloak Cross-Role Information Disclosure Vulnerability via Admin API

A cross-role information disclosure vulnerability has been identified in Keycloak. This issue allows a low-privilege administrator with the 'view-clients' role to exploit the 'evaluate-scopes' Admin API endpoints by using an arbitrary user ID parameter. The vulnerability arises because the API only validates client permissions without proper checks for user visibility. As a result, exploited admins can access sensitive personally identifiable information (PII) and authorization details of other users within the realm. The vulnerability can be exploited remotely through network access to the Admin API.

Impact

Exploitation of this vulnerability leads to unauthorized access to user identities and authorization details across the realm, allowing for cross-role PII leakage.

Reproduction

To reproduce this vulnerability, a low-privilege administrator with the 'view-clients' role can invoke the 'evaluate-scopes' Admin API endpoints. By supplying an arbitrary user ID parameter, the administrator can bypass user-specific authorization checks and access sensitive information such as full user profiles and role data. This exploitation can be performed remotely, using only network access to the Admin API.