CVE-2026-4628

CVSS v3.1

4.3

Medium

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2026-4628

Affected Products

Red Hat Build Of Keycloak

Red Hat Enterprise Application Platform 8

Red Hat Jboss Enterprise Application Platform Expansion Pack

Red Hat Single Sign-On 7

CVE-2026-4628

Weakness Enumeration

Related Identifiers

Affected Products

References · 3