Skip to main content

Red Hat CVE-2026-4628

| EUVDEUVD-2026-14389 MEDIUM
Improper Access Control (CWE-284)
2026-03-23 redhat GHSA-4pgc-gfrr-wcmg
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Red Hat
4.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 23, 2026 - 08:45 euvd
EUVD-2026-14389
Analysis Generated
Mar 23, 2026 - 08:45 vuln.today
CVE Published
Mar 23, 2026 - 08:09 nvd
MEDIUM 4.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 47 maven packages depend on org.keycloak:keycloak-services (15 direct, 32 indirect)

Ecosystem-wide dependent count for version 26.6.0.

DescriptionCVE.org

A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.

AnalysisAI

Keycloak's User-Managed Access endpoint fails to properly enforce access control on PUT operations, permitting authenticated attackers to modify protected resources despite the allowRemoteResourceManagement restriction being disabled. This access control bypass affects data integrity and impacts any organization using Keycloak for identity and access management. The vulnerability requires valid credentials to exploit and currently has no available patch.

Technical ContextAI

The vulnerability resides in Keycloak's User-Managed Access (UMA) implementation, specifically in the resource_set endpoint that manages user-controlled resource definitions within the OAuth 2.0 and OpenID Connect authorization framework. The flaw is classified as CWE-284 (Improper Access Control), indicating incomplete enforcement of authorization checks on HTTP PUT operations to the resource_set endpoint. Keycloak, which serves as an identity and access management (IAM) platform across Red Hat products including JBoss Enterprise Application Platform 8 (cpe:2.3:a:red_hat:red_hat_jboss_enterprise_application_platform_8:*:*:*:*:*:*:*:*), Red Hat Single Sign-On 7 (cpe:2.3:a:red_hat:red_hat_single_sign-on_7:*:*:*:*:*:*:*:*), and Red Hat Build of Keycloak (cpe:2.3:a:red_hat:red_hat_build_of_keycloak:*:*:*:*:*:*:*:*), implements UMA 2.0 protocol features where resource owners should have restricted capabilities when allowRemoteResourceManagement is disabled. The root cause appears to be missing or insufficient validation logic at the authorization layer for PUT operations, allowing authenticated users to circumvent policy restrictions that should prevent remote resource modification.

RemediationAI

Upgrade Keycloak and affected Red Hat products to the patched version released by Red Hat addressing CVE-2026-4628; refer to https://access.redhat.com/security/cve/CVE-2026-4628 for specific version numbers and release dates. Until patching can be completed, implement the following interim mitigations: disable or restrict the UMA resource_set endpoint via reverse proxy rules for non-administrative users, enforce allowRemoteResourceManagement=false at the configuration level with additional API gateway-level authorization checks, restrict network access to Keycloak administrative and UMA endpoints to trusted internal networks only, and audit resource_set modification logs regularly to detect unauthorized access attempts. Organizations should also review and implement the principle of least privilege for all service accounts interacting with the UMA endpoints.

Vendor StatusVendor

Debian

Bug #1088287
keycloak
Release Status Fixed Version Urgency
open - -

Share

CVE-2026-4628 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy