CVE-2026-4630 - Vulnerability Details

Description

A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.

Published: 2026-05-19

Score: 6.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An authenticated client can exploit an Insecure Direct Object Reference vulnerability in Keycloak’s Authorization Services Protection API. By learning or guessing another resource server’s unique identifier (UUID) within the same realm, the client bypasses normal authorization checks and can retrieve, modify, or delete that resource. The flaw leads to unauthorized information disclosure and data alteration, compromising confidentiality and integrity of resources that the client should not be able to access.

Affected Systems

The vulnerability affects Red Hat Build of Keycloak. No specific affected version range is documented in the available data, so all deployments of this product could potentially be impacted until an official fix is released by Red Hat.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate severity, and the EPSS score is not reported, so the likelihood of widespread exploitation is unclear. Because the flaw requires an authenticated client that knows or discovers a resource UUID, the threat is most acute in environments where clients have broad read/write permissions or where resources are enumerated. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been exploited in the wild or at a large scale. Red Hat has stated that no workaround meets its security criteria, so organizations should consult Red Hat support for guidance and keep an eye out for an official patch.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Build of Keycloak	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

Contact Red Hat support to determine if an update or interim guidance is available and to report any suspected exploitation
Configure client applications to request only the scopes and permissions strictly necessary for their function, and enforce Keycloak resource‑level permission checks to limit what operations they can perform on a given UUID
Implement monitoring of Authorization Services API usage to detect anomalous GET, PUT, or DELETE calls on resources and revoke access for any client exhibiting suspicious activity

Generated by OpenCVE AI on May 19, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-4630
https://bugzilla.redhat.com/show_bug.cgi?id=2450245

History

Tue, 19 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.
Title		Keycloak: keycloak: unauthorized resource access and data modification via insecure direct object reference
First Time appeared		Redhat Redhat build Keycloak
Weaknesses		CWE-639
CPEs		cpe:/a:redhat:build_keycloak:
Vendors & Products		Redhat Redhat build Keycloak
References		https://access.redhat.com/security/cve/CVE-2026-4630 https://bugzilla.redhat.com/show_bug.cgi?id=2450245
Metrics		cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Redhat Build Keycloak

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-05-19T10:28:15.936Z

Updated: 2026-05-19T10:28:15.936Z

Reserved: 2026-03-23T08:12:45.479Z

Link: CVE-2026-4630

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-19T12:16:19.290

Modified: 2026-05-19T14:25:40.320

Link: CVE-2026-4630

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-19T12:30:05Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object