Description
A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.
Published: 2026-03-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of protected resources, compromising data integrity
Action: Patch
AI Analysis

Impact

A flaw exists in Keycloak’s User‑Managed Access (UMA) resource_set endpoint that allows an authenticated attacker to bypass the allowRemoteResourceManagement=false restriction. The vulnerability arises from incomplete enforcement of access control checks on PUT operations, enabling an attacker with valid credentials to modify protected resources. This results in unauthorized changes that compromise data integrity and stems from an improper access control weakness (CWE‑284).

Affected Systems

The vulnerability affects Red Hat products including Red Hat Build of Keycloak, Red Hat JBoss Enterprise Application Platform 8, Red Hat JBoss Enterprise Application Platform Expansion Pack, and Red Hat Single Sign‑On 7. Specific version details are not specified in the CNA data; administrators should review all deployed instances of these products for potential exposure.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred: an attacker who authenticates to Keycloak can issue a PUT request to the resource_set endpoint and alter resources regardless of the configured restriction. No public patch or workaround is currently available, increasing risk for systems that have not applied an official security update.

Generated by OpenCVE AI on April 2, 2026 at 05:25 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Check Red Hat’s security portal for an update or patch and apply it as soon as available
  • Verify that the allowRemoteResourceManagement setting remains false and restrict UMA resource_set access to trusted administrative roles
  • If a patch cannot be applied, disable the UMA feature or block external access to the resource_set endpoint
  • Continuously monitor Keycloak logs for unauthorized PUT operations to the resource_set endpoint
  • No workaround available; official Red Hat guidance states mitigation options are inadequate

Generated by OpenCVE AI on April 2, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4pgc-gfrr-wcmg Keycloak has Improper Access Control allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat keycloak
Redhat single Sign-on
Vendors & Products Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat keycloak
Redhat single Sign-on

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 23 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.
Title Keycloak: org.keycloak.authorization: keycloak: unauthorized resource modification due to improper access control
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-284
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Jbosseapxp Keycloak Red Hat Single Sign On Single Sign-on
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-25T14:03:04.463Z

Reserved: 2026-03-23T07:45:26.489Z

Link: CVE-2026-4628

cve-icon Vulnrichment

Updated: 2026-03-25T14:02:18.546Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T09:16:26.140

Modified: 2026-04-01T14:29:05.873

Link: CVE-2026-4628

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-23T00:00:00Z

Links: CVE-2026-4628 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:30Z

Weaknesses