CVE-2026-4628
Improper Access Control in Keycloak UMA Enables Unauthorized Resource Modification
Publication date: 2026-03-23
Last updated on: 2026-04-01
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | build_of_keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-4628 is an improper access control vulnerability in Keycloak's User-Managed Access (UMA) authorization component. It specifically affects the resource_set endpoint, where attackers with valid credentials can bypass the allowRemoteResourceManagement=false restriction. This happens because the access control checks on HTTP PUT requests to the resource_set endpoint are not fully enforced."}, {'type': 'paragraph', 'content': 'As a result, attackers can update existing protected resources without needing additional privileges or user interaction, even though remote resource management is supposed to be disabled.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows unauthorized modification of protected resources in Keycloak, which compromises data integrity. Attackers with valid credentials can change resources that should be restricted, potentially leading to unauthorized changes in access control configurations or resource data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized HTTP PUT requests to the Keycloak UMA resource_set endpoint, specifically to URLs matching the pattern /realms/{realm}/authz/protection/resource_set/{id}.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your network or system, you can monitor HTTP logs or use network traffic inspection tools to identify PUT requests to this endpoint.'}, {'type': 'list_item', 'content': 'Check Keycloak server access logs for PUT requests to /realms/*/authz/protection/resource_set/*.'}, {'type': 'list_item', 'content': "Use command-line tools like grep to filter logs, for example: grep 'PUT /realms/' /path/to/keycloak/access.log | grep 'resource_set'"}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump or Wireshark) to capture HTTP traffic and filter for PUT requests to the resource_set endpoint.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Keycloak UMA resource_set endpoint and ensuring that only authorized users with appropriate privileges can perform PUT operations.
Since the vulnerability allows bypassing the allowRemoteResourceManagement=false restriction, verify and enforce proper access control policies on the resource_set endpoint.
Additionally, monitor and audit all PUT requests to the resource_set endpoint to detect unauthorized modifications.
Apply any available patches or updates from Keycloak or your vendor as soon as they are released to fix this access control flaw.