Description
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.
Published: 2026-04-02
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to User Resources
Action: Immediate Patch
AI Analysis

Impact

An authenticated user with the uma_protection role can bypass Keycloak’s User‑Managed Access policy validation. The attacker can request the creation of a policy that references resources belonging to other users, even when the request’s URL points to an attacker‑owned resource. If successful, the attacker receives a Requesting Party Token that grants them unauthorized access to the victim’s protected resources, permitting disclosure of sensitive data or execution of unauthorized operations.

Affected Systems

Red Hat builds of Keycloak 26.2 (up through 26.2.15) and 26.4 (up through 26.4.11) are vulnerable. The affected packages are identified in Red Hat Composite Package Sets 26.2 and 26.4 for Enterprise Linux 9, as listed in the advisory.

Risk and Exploitability

The CVSS score is 8.1, indicating high severity. EPSS data is not available, and the vulnerability is currently not listed in the CISA KEV catalog. Because the flaw requires an authenticated user with a specific role, the attack vector is internal or within a compromised user session. Nonetheless, the impact is significant—unauthorized access to protected resources—so the risk remains high if the vulnerability is not patched.

Generated by OpenCVE AI on April 2, 2026 at 22:59 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Check the installed Keycloak version; if it is 26.2.x or 26.4.x, proceed to update.
  • Download and apply the Red Hat security updates RHSA‑2026:6475 to RHSA‑2026:6478, which contain the Keycloak patches for the affected releases.
  • Verify that the packages have been upgraded to the patched state by checking the package version or running the official Red Hat CVE check utilities.

Generated by OpenCVE AI on April 2, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f2hx-5fx3-hmcv Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
History

Thu, 16 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.2.15:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.2:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.4.11:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:text-only:*:*:*

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
CPEs cpe:/a:redhat:build_keycloak:26.2::el9
Vendors & Products Redhat build Of Keycloak
References

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.
Title Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-551
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-02T16:35:04.681Z

Reserved: 2026-03-23T08:51:40.787Z

Link: CVE-2026-4636

cve-icon Vulnrichment

Updated: 2026-04-02T13:13:51.299Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T13:16:27.210

Modified: 2026-04-16T20:50:00.623

Link: CVE-2026-4636

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-02T12:30:00Z

Links: CVE-2026-4636 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:46Z

Weaknesses