CVE-2026-4630
Insecure Direct Object Reference in Keycloak Authorization Services
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | keycloak | to 3.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) flaw found in Keycloak's Authorization Services Protection API endpoint. An authenticated client who knows or obtains the unique identifier (UUID) of a resource belonging to another Resource Server within the same realm can bypass authorization checks.
This bypass allows the client to perform unauthorized GET, PUT, and DELETE operations on resources that they should not have access to.
As a result, the attacker can disclose sensitive information and potentially modify or delete data without proper authorization.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive data, as attackers can retrieve information from resources they should not access.
It also allows unauthorized modification or deletion of data, which can compromise data integrity and availability.
Such unauthorized actions can disrupt normal operations, cause data loss, and potentially expose confidential information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Keycloak allows an authenticated client to bypass authorization checks and perform unauthorized GET, PUT, and DELETE operations on resources belonging to other Resource Servers within the same realm. This can lead to information disclosure and unauthorized modification or deletion of data.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on data access, confidentiality, and integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-4630 vulnerability in Keycloak, it is recommended to update your Keycloak installation to a version where the issue is fixed.
Although the provided resources do not specify an exact fixed version for CVE-2026-4630, updating to the latest available Keycloak build or patch from your vendor is advised to prevent unauthorized resource access and data modification.