{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4636", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-23T08:51:40.787Z", "datePublished": "2026-04-02T12:45:01.841Z", "dateUpdated": "2026-04-02T16:35:04.681Z"}, "containers": {"cna": {"title": "Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "26.2.15-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "26.2-18", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "26.2-18", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2.15", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "rhbk/keycloak-rhel9", "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "26.4.11-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "26.4-14", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "26.4-14", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4.11", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "rhbk/keycloak-rhel9", "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:6475", "name": "RHSA-2026:6475", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6476", "name": "RHSA-2026:6476", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6477", "name": "RHSA-2026:6477", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6478", "name": "RHSA-2026:6478", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-4636", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450251", "name": "RHBZ#2450251", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-02T12:30:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-551", "description": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "timeline": [{"lang": "en", "time": "2026-03-23T08:15:12.427Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-02T12:30:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-02T16:35:04.681Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:13:39.068813Z", "id": "CVE-2026-4636", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:31:17.483Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4636", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T13:13:39.068813Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:13:51.299Z"}}], "cna": {"title": "Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "versions": [{"status": "unaffected", "version": "26.4-14", "lessThan": "*", "versionType": "rpm"}], "packageName": "keycloak-rhel9-operator-container", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "versions": [{"status": "unaffected", "version": "26.4.11-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "versions": [{"status": "unaffected", "version": "26.4-14", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4.11", "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-23T08:15:12.427Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-02T12:30:00.000Z", "value": "Made public."}], "datePublic": "2026-04-02T12:30:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:6477", "name": "RHSA-2026:6477", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6478", "name": "RHSA-2026:6478", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-4636", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450251", "name": "RHBZ#2450251", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-551", "description": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-02T15:43:01.732Z"}, "x_redhatCweChain": "CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"}}, "cveMetadata": {"cveId": "CVE-2026-4636", "state": "PUBLISHED", "dateUpdated": "2026-04-02T15:43:01.732Z", "dateReserved": "2026-03-23T08:51:40.787Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-02T12:45:01.841Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "1830E455-7E11-4264-862D-05971A42D4A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.2:*:*:*:text-only:*:*:*", "matchCriteriaId": "C339EBE3-6BFD-4082-B904-4E8DB87AAE68", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.2.15:*:*:*:text-only:*:*:*", "matchCriteriaId": "3BDF8A92-727E-401B-80BB-A141DCB39750", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:text-only:*:*:*", "matchCriteriaId": "100AA077-7467-4F62-A8FD-88BC336972DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.4.11:*:*:*:text-only:*:*:*", "matchCriteriaId": "17E79930-BE1C-4901-AF63-36B3EB149AFC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions."}], "id": "CVE-2026-4636", "lastModified": "2026-04-16T20:50:00.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2026-04-02T13:16:27.210", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2026:6475"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2026:6476"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2026:6477"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2026:6478"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2026-4636"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450251"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-551"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2026:6476", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-operator-bundle:26.2.15-1", "product_name": "Red Hat build of Keycloak 26.2", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6476", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-rhel9:26.2-18", "product_name": "Red Hat build of Keycloak 26.2", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6476", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-rhel9-operator:26.2-18", "product_name": "Red Hat build of Keycloak 26.2", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6475", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-rhel9", "product_name": "Red Hat build of Keycloak 26.2.15", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6478", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "rhbk/keycloak-operator-bundle:26.4.11-1", "product_name": "Red Hat build of Keycloak 26.4", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6478", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "rhbk/keycloak-rhel9:26.4-14", "product_name": "Red Hat build of Keycloak 26.4", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6478", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "rhbk/keycloak-rhel9-operator:26.4-14", "product_name": "Red Hat build of Keycloak 26.4", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6477", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "rhbk/keycloak-rhel9", "product_name": "Red Hat build of Keycloak 26.4.11", "release_date": "2026-04-02T00:00:00Z"}], "bugzilla": {"description": "keycloak: Keycloak: UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.", "id": "2450251", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450251"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-551", "details": ["A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-4636", "public_date": "2026-04-02T12:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4636\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4636"], "statement": "This Important vulnerability in Keycloak allows an authenticated user with the `uma_protection` role to bypass User-Managed Access (UMA) policy validation. Exploitation requires that victim users have created UMA-protected resources with `ownerManagedAccess` enabled and that authorization services are enabled on the client. This flaw enables an attacker to gain unauthorized permissions to victim-owned resources within Red Hat Build of Keycloak.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.4-14)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 89.0, "source": "matching"}]}, "original": {"product": "Red Hat build of Keycloak 26.4", "source": "cna", "vendor": "Red Hat"}, "product": "build_of_keycloak", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-02T22:59:42.284318+00:00", "value": {"mitigation_remediation": ["Check the installed Keycloak version; if it is 26.2.x or 26.4.x, proceed to update.", "Download and apply the Red\u00a0Hat security updates RHSA\u20112026:6475 to RHSA\u20112026:6478, which contain the Keycloak patches for the affected releases.", "Verify that the packages have been upgraded to the patched state by checking the package version or running the official Red\u00a0Hat CVE check utilities."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access to User Resources"}, "threat_synthesis": {"affected_systems": "Red\u00a0Hat builds of Keycloak 26.2 (up through 26.2.15) and 26.4 (up through 26.4.11) are vulnerable. The affected packages are identified in Red\u00a0Hat Composite Package Sets 26.2 and 26.4 for Enterprise Linux\u00a09, as listed in the advisory.", "description_and_impact": "An authenticated user with the uma_protection role can bypass Keycloak\u2019s User\u2011Managed Access policy validation. The attacker can request the creation of a policy that references resources belonging to other users, even when the request\u2019s URL points to an attacker\u2011owned resource. If successful, the attacker receives a Requesting Party Token that grants them unauthorized access to the victim\u2019s protected resources, permitting disclosure of sensitive data or execution of unauthorized operations.", "risk_and_exploitability": "The CVSS score is 8.1, indicating high severity. EPSS data is not available, and the vulnerability is currently not listed in the CISA KEV catalog. Because the flaw requires an authenticated user with a specific role, the attack vector is internal or within a compromised user session. Nonetheless, the impact is significant\u2014unauthorized access to protected resources\u2014so the risk remains high if the vulnerability is not patched."}}}}, "created": "2026-04-02T20:12:40.625774+00:00", "updated": "2026-04-03T09:18:46.972309+00:00", "vendors": ["redhat", "redhat$PRODUCT$build_of_keycloak"]}