CVE-2026-4630
Analyzed Analyzed - Analysis Complete
Insecure Direct Object Reference in Keycloak Authorization Services

Publication date: 2026-05-19

Last updated on: 2026-06-03

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-06-03
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-4630
EUVD
EUVD-2026-30879
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak From 26.4 (inc) to 26.4.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Insecure Direct Object Reference (IDOR) flaw found in Keycloak's Authorization Services Protection API endpoint. An authenticated client who knows or obtains the unique identifier (UUID) of a resource belonging to another Resource Server within the same realm can bypass authorization checks.

This bypass allows the client to perform unauthorized GET, PUT, and DELETE operations on resources that they should not have access to.

As a result, the attacker can disclose sensitive information and potentially modify or delete data without proper authorization.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive data, as attackers can retrieve information from resources they should not access.

It also allows unauthorized modification or deletion of data, which can compromise data integrity and availability.

Such unauthorized actions can disrupt normal operations, cause data loss, and potentially expose confidential information.

Compliance Impact

The vulnerability in Keycloak allows an authenticated client to bypass authorization checks and perform unauthorized GET, PUT, and DELETE operations on resources belonging to other Resource Servers within the same realm. This can lead to information disclosure and unauthorized modification or deletion of data.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on data access, confidentiality, and integrity.

Mitigation Strategies

To mitigate the CVE-2026-4630 vulnerability in Keycloak, it is recommended to update your Keycloak installation to a version where the issue is fixed.

Although the provided resources do not specify an exact fixed version for CVE-2026-4630, updating to the latest available Keycloak build or patch from your vendor is advised to prevent unauthorized resource access and data modification.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4630. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart