Impact
An authenticated user who possesses a User-Managed Access permission ticket for a single resource can exploit a flaw in the Keycloak authorization component. By using a special permission request prefix, the attacker bypasses per‑resource access control and gains unauthorized read or modify access to every resource of the same type on the resource server. This leads to information disclosure or modification of resources that the user does not explicitly own or have permission for.
Affected Systems
Red Hat’s Build of Keycloak is affected. No specific product versions are listed; the flaw resides in the core authorization logic of the Keycloak server. The attack can occur on any deployment where the resource server is set to PERMISSIVE policy enforcement mode, the resources are typed with ownerManagedAccess enabled, and no explicit policy protects that resource type.
Risk and Exploitability
The CVSS score of 4.6 indicates moderate impact under best‑effort threat model. EPSS is not available, so current exploitation probability is unknown. This vulnerability is not in CISA’s KEV catalog. The attacker must first authenticate to the Keycloak server and obtain a valid UMA permission ticket, then send a crafted permission request. The weakness is a CWE‑639 (Authorization Bypass Through User-Controlled Key) and relies on misconfiguration rather than a pure software flaw. When the resource server is configured in PERMISSIVE mode, the flaw becomes exploitable, allowing the attacker to read or alter resources belonging to that type.
OpenCVE Enrichment