CVE-2026-3190 is a security vulnerability identified in Red Hat's build of Keycloak version 26.4, specifically affecting the User-Managed Access (UMA) 2.0 Protection API endpoint responsible for handling permission tickets. The flaw arises because the endpoint fails to enforce the 'uma_protection' role check properly. In practice, this means that any authenticated user possessing a token issued for a resource server client can enumerate all permission tickets in the system, even if they do not have the 'uma_protection' role assigned. Permission tickets in UMA represent authorization requests and consents, and their exposure can reveal sensitive information about resource access policies and user permissions. The vulnerability is limited to information disclosure and does not permit modification or denial of service. Exploitation requires the attacker to be authenticated with a valid token but does not require additional user interaction. The vulnerability has a CVSS v3.1 base score of 4.3, categorized as medium severity, reflecting its limited impact on confidentiality and no impact on integrity or availability. No public exploits have been reported so far. The root cause is an improper access control check in the Keycloak UMA Protection API, which should restrict permission ticket enumeration to users with the 'uma_protection' role but fails to do so. This flaw could be leveraged by malicious insiders or compromised accounts to gather intelligence on authorization policies and potentially aid in further attacks or privilege escalation attempts.

The primary impact of CVE-2026-3190 is unauthorized information disclosure. Attackers who gain authenticated access to Keycloak can enumerate all permission tickets, revealing details about resource access requests and consents. This exposure can undermine confidentiality by leaking sensitive authorization metadata, which could be used to map out protected resources and user permissions. While the vulnerability does not allow modification or denial of service, the disclosed information could facilitate targeted attacks, social engineering, or privilege escalation by providing attackers with insights into the access control landscape. Organizations relying on Keycloak for identity and access management, especially those managing sensitive or regulated data, face increased risk of data leakage and compliance violations. The vulnerability affects any deployment of Red Hat's Keycloak 26.4 with UMA 2.0 enabled, potentially impacting cloud services, enterprise applications, and government systems. Although exploitation requires authentication, the risk remains significant in environments where user credentials may be compromised or where insider threats exist.

To mitigate CVE-2026-3190, organizations should apply the official patches or updates provided by Red Hat for Keycloak 26.4 as soon as they become available. In the absence of patches, administrators should audit and restrict access to resource server client tokens, ensuring that only trusted users receive tokens capable of interacting with the UMA Protection API. Implement strict role assignment policies to limit the issuance of tokens to users with the 'uma_protection' role only when necessary. Additionally, enable comprehensive logging and monitoring of UMA API calls to detect unusual enumeration activity. Network-level controls such as segmentation and access restrictions can reduce exposure by limiting which users or systems can authenticate to Keycloak. Regularly review and rotate credentials to minimize the risk of compromised tokens being used to exploit this vulnerability. Finally, conduct security awareness training to reduce insider threat risks and encourage prompt reporting of suspicious activity.