CVE-2026-4628

A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2026-4628	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2450240	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*

History

01 Apr 2026, 14:29

Type	Values Removed	Values Added
First Time		Redhat Redhat build Of Keycloak
CPE		cpe:2.3:a:redhat:build_of_keycloak:-::::-:::
References	~~() https://access.redhat.com/security/cve/CVE-2026-4628 -~~	() https://access.redhat.com/security/cve/CVE-2026-4628 - Vendor Advisory
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2450240 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2450240 - Issue Tracking, Vendor Advisory
Summary		(es) Se encontró un fallo en Keycloak. Una vulnerabilidad de control de acceso inadecuado en el endpoint 'resource_set' de Acceso Gestionado por el Usuario (UMA) de Keycloak permite a atacantes con credenciales válidas eludir la restricción 'allowRemoteResourceManagement=false'. Esto ocurre debido a la aplicación incompleta de las comprobaciones de control de acceso en operaciones PUT al endpoint 'resource_set'. Este problema permite la modificación no autorizada de recursos protegidos, impactando la integridad de los datos.

23 Mar 2026, 09:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-23 09:16

Updated : 2026-04-01 14:29

NVD link : CVE-2026-4628

Mitre link : CVE-2026-4628

CVE.ORG link : CVE-2026-4628

JSON object : View

Products Affected

redhat

build_of_keycloak

CWE

CWE-284

Improper Access Control

4.3 /10