Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 47 maven packages depend on org.keycloak:keycloak-services (15 direct, 32 indirect)
Ecosystem-wide dependent count for version 26.6.0.
DescriptionCVE.org
A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.
AnalysisAI
Keycloak's User-Managed Access endpoint fails to properly enforce access control on PUT operations, permitting authenticated attackers to modify protected resources despite the allowRemoteResourceManagement restriction being disabled. This access control bypass affects data integrity and impacts any organization using Keycloak for identity and access management. The vulnerability requires valid credentials to exploit and currently has no available patch.
Technical ContextAI
The vulnerability resides in Keycloak's User-Managed Access (UMA) implementation, specifically in the resource_set endpoint that manages user-controlled resource definitions within the OAuth 2.0 and OpenID Connect authorization framework. The flaw is classified as CWE-284 (Improper Access Control), indicating incomplete enforcement of authorization checks on HTTP PUT operations to the resource_set endpoint. Keycloak, which serves as an identity and access management (IAM) platform across Red Hat products including JBoss Enterprise Application Platform 8 (cpe:2.3:a:red_hat:red_hat_jboss_enterprise_application_platform_8:*:*:*:*:*:*:*:*), Red Hat Single Sign-On 7 (cpe:2.3:a:red_hat:red_hat_single_sign-on_7:*:*:*:*:*:*:*:*), and Red Hat Build of Keycloak (cpe:2.3:a:red_hat:red_hat_build_of_keycloak:*:*:*:*:*:*:*:*), implements UMA 2.0 protocol features where resource owners should have restricted capabilities when allowRemoteResourceManagement is disabled. The root cause appears to be missing or insufficient validation logic at the authorization layer for PUT operations, allowing authenticated users to circumvent policy restrictions that should prevent remote resource modification.
RemediationAI
Upgrade Keycloak and affected Red Hat products to the patched version released by Red Hat addressing CVE-2026-4628; refer to https://access.redhat.com/security/cve/CVE-2026-4628 for specific version numbers and release dates. Until patching can be completed, implement the following interim mitigations: disable or restrict the UMA resource_set endpoint via reverse proxy rules for non-administrative users, enforce allowRemoteResourceManagement=false at the configuration level with additional API gateway-level authorization checks, restrict network access to Keycloak administrative and UMA endpoints to trusted internal networks only, and audit resource_set modification logs regularly to detect unauthorized access attempts. Organizations should also review and implement the principle of least privilege for all service accounts interacting with the UMA endpoints.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allVendor StatusVendor
Debian
Bug #1088287| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14389
GHSA-4pgc-gfrr-wcmg