The vulnerability identified as CVE-2026-3190 affects the Red Hat Build of Keycloak, specifically the User-Managed Access (UMA) 2.0 Protection API endpoint responsible for managing permission tickets. Normally, access to permission tickets requires the `uma_protection` role to ensure only authorized clients can enumerate or manage these tickets. However, due to improper handling of permission checks, any authenticated user possessing a token issued for a resource server client can bypass this role check and enumerate all permission tickets in the system. This flaw constitutes an authorization bypass vulnerability leading to information disclosure. The vulnerability does not allow modification or deletion of permission tickets, nor does it affect system availability. The CVSS v3.1 score is 4.3 (medium severity), reflecting the limited impact on confidentiality and no impact on integrity or availability. Exploitation requires an authenticated token but no additional user interaction, making it moderately easy to exploit in environments where users have resource server client tokens. No patches or known exploits are currently documented, but the vulnerability is publicly disclosed and should be addressed promptly.

The primary impact of this vulnerability is unauthorized information disclosure. Attackers or malicious insiders with authenticated access can enumerate all permission tickets, potentially revealing sensitive information about resource access permissions and user entitlements within the Keycloak environment. This could aid in reconnaissance efforts for further attacks or privilege escalation attempts. Although the vulnerability does not allow modification or denial of service, the exposure of permission ticket data could undermine trust in the access control mechanisms and lead to indirect security risks. Organizations relying on Keycloak for identity and access management, especially those managing sensitive or regulated data, could face compliance and privacy concerns. The impact is limited to environments where UMA 2.0 Protection API is in use and where users have tokens issued for resource server clients.

To mitigate CVE-2026-3190, organizations should: 1) Apply any available patches or updates from Red Hat for the Keycloak build as soon as they are released. 2) Review and tighten access control policies around UMA 2.0 Protection API endpoints, ensuring that only trusted clients and users have tokens issued for resource server clients. 3) Implement strict monitoring and logging of API calls to detect unusual enumeration activity of permission tickets. 4) Consider restricting the issuance of tokens with resource server client scopes to only necessary users or services. 5) If patching is not immediately possible, deploy compensating controls such as API gateway filters or WAF rules to block unauthorized access to the permission ticket endpoints. 6) Conduct regular audits of permission tickets and roles to identify any anomalies or excessive permissions. 7) Educate developers and administrators about the importance of role enforcement in UMA implementations to prevent similar issues in custom extensions or integrations.