CVE-2026-4628
Received Received - Intake

Improper Access Control in Keycloak UMA Enables Unauthorized Resource Modification

Vulnerability report for CVE-2026-4628, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-23

Last updated on: 2026-04-01

Assigner: Red Hat, Inc.

Description

A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-23
Last Modified
2026-04-01
Generated
2026-07-06
AI Q&A
2026-03-23
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-4628 is an improper access control vulnerability in Keycloak's User-Managed Access (UMA) authorization component. It specifically affects the resource_set endpoint, where attackers with valid credentials can bypass the allowRemoteResourceManagement=false restriction. This happens because the access control checks on HTTP PUT requests to the resource_set endpoint are not fully enforced."}, {'type': 'paragraph', 'content': 'As a result, attackers can update existing protected resources without needing additional privileges or user interaction, even though remote resource management is supposed to be disabled.'}] [1]

Impact Analysis

This vulnerability allows unauthorized modification of protected resources in Keycloak, which compromises data integrity. Attackers with valid credentials can change resources that should be restricted, potentially leading to unauthorized changes in access control configurations or resource data.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized HTTP PUT requests to the Keycloak UMA resource_set endpoint, specifically to URLs matching the pattern /realms/{realm}/authz/protection/resource_set/{id}.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your network or system, you can monitor HTTP logs or use network traffic inspection tools to identify PUT requests to this endpoint.'}, {'type': 'list_item', 'content': 'Check Keycloak server access logs for PUT requests to /realms/*/authz/protection/resource_set/*.'}, {'type': 'list_item', 'content': "Use command-line tools like grep to filter logs, for example: grep 'PUT /realms/' /path/to/keycloak/access.log | grep 'resource_set'"}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump or Wireshark) to capture HTTP traffic and filter for PUT requests to the resource_set endpoint.'}] [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the Keycloak UMA resource_set endpoint and ensuring that only authorized users with appropriate privileges can perform PUT operations.

Since the vulnerability allows bypassing the allowRemoteResourceManagement=false restriction, verify and enforce proper access control policies on the resource_set endpoint.

Additionally, monitor and audit all PUT requests to the resource_set endpoint to detect unauthorized modifications.

Apply any available patches or updates from Keycloak or your vendor as soon as they are released to fix this access control flaw.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4628. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart