Keycloak Broken Access Control Vulnerability in User Lookup Endpoint Allows PII Harvesting

A broken access control vulnerability has been identified in Keycloak's Account Resources user lookup endpoint. This flaw allows remote authenticated users who own at least one User-Managed Access (UMA) resource to enumerate and collect personally identifiable information (PII) from all users within the same realm. By sending tailored requests with specific usernames or email addresses, the endpoint inadvertently discloses full profile information, including ID, username, name, email, and status, for unrelated users. This vulnerability leads to a significant breach of profile-level information confidentiality.

Impact

Exploitation of this vulnerability allows for unauthorized access to and disclosure of personal identifiable information (PII) for all users within a Keycloak realm, bypassing access controls and privacy safeguards.

Reproduction

To reproduce this vulnerability, an authenticated user with at least one User-Managed Access (UMA) resource must send requests to the Account Resources user lookup endpoint. These requests should include arbitrary usernames or email values. The endpoint will respond with full profile objects for users unrelated to the authenticated user, thereby disclosing personal identifiable information (PII) such as ID, username, name, email, and status.