{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4636", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-23T08:51:40.787Z", "datePublished": "2026-04-02T12:45:01.841Z", "dateUpdated": "2026-04-02T16:35:04.681Z"}, "containers": {"cna": {"title": "Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "26.2.15-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "26.2-18", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "26.2-18", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2.15", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "rhbk/keycloak-rhel9", "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "26.4.11-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "26.4-14", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "26.4-14", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4.11", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "rhbk/keycloak-rhel9", "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:6475", "name": "RHSA-2026:6475", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6476", "name": "RHSA-2026:6476", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6477", "name": "RHSA-2026:6477", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6478", "name": "RHSA-2026:6478", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-4636", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450251", "name": "RHBZ#2450251", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-02T12:30:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-551", "description": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "timeline": [{"lang": "en", "time": "2026-03-23T08:15:12.427Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-02T12:30:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-02T16:35:04.681Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:13:39.068813Z", "id": "CVE-2026-4636", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:31:17.483Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4636", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T13:13:39.068813Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:13:51.299Z"}}], "cna": {"title": "Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "versions": [{"status": "unaffected", "version": "26.4-14", "lessThan": "*", "versionType": "rpm"}], "packageName": "keycloak-rhel9-operator-container", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "versions": [{"status": "unaffected", "version": "26.4.11-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "versions": [{"status": "unaffected", "version": "26.4-14", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4.11", "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-23T08:15:12.427Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-02T12:30:00.000Z", "value": "Made public."}], "datePublic": "2026-04-02T12:30:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:6477", "name": "RHSA-2026:6477", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6478", "name": "RHSA-2026:6478", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-4636", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450251", "name": "RHBZ#2450251", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-551", "description": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-02T15:43:01.732Z"}, "x_redhatCweChain": "CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"}}, "cveMetadata": {"cveId": "CVE-2026-4636", "state": "PUBLISHED", "dateUpdated": "2026-04-02T15:43:01.732Z", "dateReserved": "2026-03-23T08:51:40.787Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-02T12:45:01.841Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions."}], "id": "CVE-2026-4636", "lastModified": "2026-04-02T17:16:30.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2026-04-02T13:16:27.210", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:6475"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:6476"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:6477"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:6478"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-4636"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450251"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-551"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.4-14)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 89.0, "source": "matching"}]}, "original": {"product": "Red Hat build of Keycloak 26.4", "source": "cna", "vendor": "Red Hat"}, "product": "build_of_keycloak", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-02T15:25:03.491033+00:00", "value": {"mitigation_remediation": ["Install the Red\u00a0Hat security update RHSA\u20112026:6477 for Keycloak\u202f26.4.", "Install the Red\u00a0Hat security update RHSA\u20112026:6478 for Keycloak\u202f26.4.11.", "Verify that only trusted users are granted the\u202fuma_protection\u202frole and review ownership of resources.", "Monitor Keycloak logs for attempts to create policies that reference resources owned by other users."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Resource Access"}, "threat_synthesis": {"affected_systems": "The affected product is Red\u202fHat Build of Keycloak. Version\u202f26.4 and the 26.4.11 update are affected. The bug was reported against the Red\u202fHat build of Keycloak on Enterprise Linux\u202f9.", "description_and_impact": "A flaw in Keycloak allows an authenticated user with the\u202fuma_protection\u202frole to bypass User\u2011Managed Access policy validation. By including resource identifiers owned by other users in a policy creation request, the attacker can obtain a Requesting Party Token for those resources even though the URL path reflects a different resource. This grants the attacker unauthorized access to victim\u2011owned data and the ability to perform actions on those resources, constituting a serious confidentiality and integrity risk for all users who rely on UMA for access control.", "risk_and_exploitability": "The CVSS score for this issue is\u202f8.1, indicating a high severity. EPSS information is not available, but the impact and the exploitation method are straightforward for users possessing the\u202fuma_protection\u202frole. The bug is not currently listed in the CISA KEV catalog; nevertheless, its severity and the ability to gain a token for another user's resources make it a high\u2011risk vulnerability that should be addressed quickly. The likely attack vector requires an authenticated session with sufficient privilege; once crafted, an unauthorized policy can be submitted and validated by Keycloak, giving the attacker access to the victim\u2019s resources."}}}}, "created": "2026-04-02T20:12:40.625774+00:00", "updated": "2026-04-02T20:21:20.796760+00:00", "vendors": ["redhat", "redhat$PRODUCT$build_of_keycloak"]}