CVE-2026-4630

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description An Insecure Direct Object Reference (IDOR) flaw exists in the Authorization Services Protection API endpoint. An authenticated client can bypass authorization checks by providing the unique identifier (UUID) of a resource belonging to a different Resource Server within the same realm. This allows unauthorized GET, PUT, and DELETE operations, which can result in information disclosure or the unauthorized modification and deletion of data.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.