Zero Day MonitorZDM

← Back to list

8.1

CVE-2026-4636EXPLOITEDPATCHED

red hat · keycloak

Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.

Description

A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.

Affected Products

Vendor	Product	Versions
red hat	keycloak	maven/org.keycloak:keycloak-services: < 26.5.7

References

https://access.redhat.com/errata/RHSA-2026:6475(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:6476(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:6477(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:6478(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/security/cve/CVE-2026-4636(vdb-entry, x_refsource_REDHAT)
https://bugzilla.redhat.com/show_bug.cgi?id=2450251(issue-tracking, x_refsource_REDHAT)

Related News (1 articles)

Tier C

VulDB4d ago

CVE-2026-4636 | Keycloak incorrect behavior order (RHSA-2026:6477)

→ No new info (linked only)

CVSS 3.18.1 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

org.keycloak:keycloak-services@26.5.7

CWECWE-551

PublishedApr 2, 2026

Last enriched4d agov2

Trending Score27

Source articles1

Independent1

Info Completeness8/14

Missing: versions, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-33540EXP

Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm

HIGHCVE-2026-4634EXP

Keycloak: keycloak: denial of service via excessive processing of openid connect scope parameters

CRITICALCVE-2026-5704

Tar: tar: hidden file injection via crafted archives

HIGHCVE-2026-3872EXP

Keycloak: keycloak: information disclosure due to redirect_uri validation bypass

HIGHCVE-2026-4282EXP

Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 2, 2026

Discovered by ZDM

Apr 2, 2026

Updated: description, severity, activelyExploited

Apr 2, 2026

Actively Exploited

Apr 2, 2026

Patch Available

Apr 2, 2026

Version History

v2

Last enriched 4d ago

v2Tier C4d ago

Updated severity to CRITICAL, changed exploit availability to false, and provided a new description detailing the vulnerability.

descriptionseverityactivelyExploited

via VulDB

v14d ago

Initial creation