VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-v77w-st1u-pfe6

Essentials
Severities (34)
References (12)
Severity details (20)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-v77w-st1u-pfe6
Aliases	CVE-2026-3190 GHSA-q35r-vvhv-vx5h
Summary	Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-280	Improper Handling of Insufficient Permissions or Privileges
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	4.3	https://access.redhat.com/errata/RHSA-2026:6477
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2026:6477
cvssv3.1	4.3	https://access.redhat.com/errata/RHSA-2026:6478
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2026:6478
cvssv3	4.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3190.json
cvssv3.1	4.3	https://access.redhat.com/security/cve/CVE-2026-3190
generic_textual	MODERATE	https://access.redhat.com/security/cve/CVE-2026-3190
ssvc	Track	https://access.redhat.com/security/cve/CVE-2026-3190
epss	0.00024	https://api.first.org/data/v1/epss?cve=CVE-2026-3190
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-3190
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-3190
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-3190
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-3190
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-3190
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-3190
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-3190
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-3190
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-3190
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-3190
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-3190
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2026-3190
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-3190
cvssv3.1	4.3	https://bugzilla.redhat.com/show_bug.cgi?id=2442572
generic_textual	MODERATE	https://bugzilla.redhat.com/show_bug.cgi?id=2442572
ssvc	Track	https://bugzilla.redhat.com/show_bug.cgi?id=2442572
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-q35r-vvhv-vx5h
cvssv3.1	4.3	https://github.com/keycloak/keycloak
generic_textual	MODERATE	https://github.com/keycloak/keycloak
cvssv3.1	4.3	https://github.com/keycloak/keycloak/commit/f1baf25cbb1551202570f954102eb2d270ab0694
generic_textual	MODERATE	https://github.com/keycloak/keycloak/commit/f1baf25cbb1551202570f954102eb2d270ab0694
cvssv3.1	4.3	https://github.com/keycloak/keycloak/issues/46723
generic_textual	MODERATE	https://github.com/keycloak/keycloak/issues/46723
cvssv3.1	4.3	https://nvd.nist.gov/vuln/detail/CVE-2026-3190
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-3190

Reference id	Reference type	URL
		https://access.redhat.com/errata/RHSA-2026:6477
		https://access.redhat.com/errata/RHSA-2026:6478
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3190.json
		https://access.redhat.com/security/cve/CVE-2026-3190
		https://api.first.org/data/v1/epss?cve=CVE-2026-3190
		https://bugzilla.redhat.com/show_bug.cgi?id=2442572
		https://github.com/keycloak/keycloak
		https://github.com/keycloak/keycloak/commit/f1baf25cbb1551202570f954102eb2d270ab0694
		https://github.com/keycloak/keycloak/issues/46723
		https://nvd.nist.gov/vuln/detail/CVE-2026-3190
cpe:/a:redhat:build_keycloak:		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:
GHSA-q35r-vvhv-vx5h		https://github.com/advisories/GHSA-q35r-vvhv-vx5h

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2026:6477

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2026:6478

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3190.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/security/cve/CVE-2026-3190

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T13:46:23Z/ Found at https://access.redhat.com/security/cve/CVE-2026-3190

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=2442572

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-27T13:46:23Z/ Found at https://bugzilla.redhat.com/show_bug.cgi?id=2442572

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/keycloak/keycloak

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/keycloak/keycloak/commit/f1baf25cbb1551202570f954102eb2d270ab0694

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/keycloak/keycloak/issues/46723

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-3190

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.06433
EPSS Score	0.00024
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:54:13.993192+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q35r-vvhv-vx5h/GHSA-q35r-vvhv-vx5h.json	38.0.0