CVE-2026-4628

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description An improper Access Control issue exists in Keycloak’s User-Managed Access (UMA) resource set endpoint. Attackers possessing valid credentials can circumvent the allowRemoteResourceManagement=false restriction due to insufficient enforcement of access control checks during PUT operations to the resource set endpoint. This allows unauthorized modification of protected resources, potentially compromising data integrity. The affected API endpoint is the resource set endpoint.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.