Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-4628

Опубликовано: 23 мар. 2026
Источник: redhat
CVSS3: 4.3
EPSS Низкий

Описание

A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.

Отчет

MODERATE: This flaw in Keycloak allows authenticated attackers to bypass the allowRemoteResourceManagement=false restriction, enabling unauthorized modification of protected resources. This impacts data integrity in Red Hat Build of Keycloak (RHBK) version rhbk-26.4. Other Red Hat products, including Enterprise Application Platform and Red Hat Single Sign-On, are not affected as the vulnerable code is not present.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Build of Keycloakkeycloak-servicesAffected
Red Hat JBoss Enterprise Application Platform 8keycloak-servicesNot affected
Red Hat JBoss Enterprise Application Platform Expansion Packkeycloak-servicesNot affected
Red Hat Single Sign-On 7keycloak-servicesNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-284
https://bugzilla.redhat.com/show_bug.cgi?id=2450240keycloak: org.keycloak.authorization: Keycloak: Unauthorized resource modification due to improper access control

EPSS

Процентиль: 7%
0.00025
Низкий

4.3 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2026-4628

CVSS3: 4.3
nvd
17 дней назад

A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.

debian логотип

CVE-2026-4628

CVSS3: 4.3
debian
17 дней назад

A flaw was found in Keycloak. An improper Access Control vulnerability ...

github логотип

GHSA-4pgc-gfrr-wcmg

CVSS3: 4.3
github
17 дней назад

Keycloak has Improper Access Control allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false

EPSS

Процентиль: 7%
0.00025
Низкий

4.3 Medium

CVSS3