CVE-2026-4636

A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2026:6475	Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:6476	Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:6477	Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:6478	Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-4636	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2450251	Exploit Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:build_of_keycloak:-::::text-only:::
	cpe:2.3:a:redhat:build_of_keycloak:26.2::::text-only:::
	cpe:2.3:a:redhat:build_of_keycloak:26.2.15::::text-only:::
	cpe:2.3:a:redhat:build_of_keycloak:26.4::::text-only:::
	cpe:2.3:a:redhat:build_of_keycloak:26.4.11::::text-only:::

History

16 Apr 2026, 20:50

Type	Values Removed	Values Added
CPE		cpe:2.3:a:redhat:build_of_keycloak:26.2::::text-only::: cpe:2.3:a:redhat:build_of_keycloak:26.4::::text-only::: cpe:2.3:a:redhat:build_of_keycloak:26.2.15::::text-only::: cpe:2.3:a:redhat:build_of_keycloak:-::::text-only::: cpe:2.3:a:redhat:build_of_keycloak:26.4.11::::text-only:::
First Time		Redhat Redhat build Of Keycloak
References	~~() https://access.redhat.com/errata/RHSA-2026:6475 -~~	() https://access.redhat.com/errata/RHSA-2026:6475 - Vendor Advisory
References	~~() https://access.redhat.com/errata/RHSA-2026:6476 -~~	() https://access.redhat.com/errata/RHSA-2026:6476 - Vendor Advisory
References	~~() https://access.redhat.com/errata/RHSA-2026:6477 -~~	() https://access.redhat.com/errata/RHSA-2026:6477 - Vendor Advisory
References	~~() https://access.redhat.com/errata/RHSA-2026:6478 -~~	() https://access.redhat.com/errata/RHSA-2026:6478 - Vendor Advisory
References	~~() https://access.redhat.com/security/cve/CVE-2026-4636 -~~	() https://access.redhat.com/security/cve/CVE-2026-4636 - Vendor Advisory
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2450251 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2450251 - Exploit, Issue Tracking, Vendor Advisory

02 Apr 2026, 17:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:6475 - () https://access.redhat.com/errata/RHSA-2026:6476 -

02 Apr 2026, 14:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:6477 - () https://access.redhat.com/errata/RHSA-2026:6478 -

02 Apr 2026, 13:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-02 13:16

Updated : 2026-04-16 20:50

NVD link : CVE-2026-4636

Mitre link : CVE-2026-4636

CVE.ORG link : CVE-2026-4636

JSON object : View

Products Affected

redhat

build_of_keycloak

CWE

CWE-551

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

8.1 /10