RHSA-2026:6475

Vulnerability from csaf_redhat - Published: 2026-04-02 13:53 - Updated: 2026-04-02 16:39
Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.2.15 Update
Severity
Important
Notes
Topic: New Red Hat build of Keycloak 26.2.15 packages are available from the Customer Portal
Details: Red Hat build of Keycloak 26.2.15 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security fixes: * Information disclosure due to redirect_uri validation bypass (CVE-2026-3872) * Replay of action tokens via improper handling of single-use entries (CVE-2026-4325) * UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources ( CVE-2026-4636) * Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw (CVE-2026-4282) * Denial of Service via excessive processing of OpenID Connect scope parameters (CVE-2026-4634)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2026-3872

A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.

7.3 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Vendor Fix Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. https://access.redhat.com/errata/RHSA-2026:6475
Workaround To mitigate this vulnerability, avoid using wildcards in `redirect_uri` configurations within Keycloak. Restricting `redirect_uri` to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect.
CVE-2026-4282

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.

7.4 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-653 - Improper Isolation or Compartmentalization
Vendor Fix Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. https://access.redhat.com/errata/RHSA-2026:6475
Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
CVE-2026-4325

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.

5.3 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE-653 - Improper Isolation or Compartmentalization
Vendor Fix Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. https://access.redhat.com/errata/RHSA-2026:6475
Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
CVE-2026-4634

A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1050 - Excessive Platform Resource Consumption within a Loop
Vendor Fix Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. https://access.redhat.com/errata/RHSA-2026:6475
Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
CVE-2026-4636

A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.

8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE-551 - Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Vendor Fix Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. https://access.redhat.com/errata/RHSA-2026:6475
Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
References
Acknowledgments
Ngọc Chung Kim
Slvrqn
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "New Red Hat build of Keycloak 26.2.15 packages are available from the Customer Portal",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat build of Keycloak 26.2.15 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nSecurity fixes:\n* Information disclosure due to redirect_uri validation bypass (CVE-2026-3872)\n* Replay of action tokens via improper handling of single-use entries (CVE-2026-4325)\n* UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources ( CVE-2026-4636)\n* Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw (CVE-2026-4282)\n* Denial of Service via excessive processing of OpenID Connect scope parameters (CVE-2026-4634)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:6475",
        "url": "https://access.redhat.com/errata/RHSA-2026:6475"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6475.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.2.15 Update",
    "tracking": {
      "current_release_date": "2026-04-02T16:39:28+00:00",
      "generator": {
        "date": "2026-04-02T16:39:28+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.4"
        }
      },
      "id": "RHSA-2026:6475",
      "initial_release_date": "2026-04-02T13:53:32+00:00",
      "revision_history": [
        {
          "date": "2026-04-02T13:53:32+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-04-02T13:53:32+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-04-02T16:39:28+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat build of Keycloak 26.2.15",
                "product": {
                  "name": "Red Hat build of Keycloak 26.2.15",
                  "product_id": "Red Hat build of Keycloak 26.2.15",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat build of Keycloak"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-3872",
      "cwe": {
        "id": "CWE-601",
        "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
      },
      "discovery_date": "2026-03-10T09:16:29.034000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2445988"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "keycloak: Keycloak: Information disclosure due to redirect_uri validation bypass",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important information disclosure flaw in Keycloak\u0027s `redirect_uri` validation logic. An attacker controlling another path on the same web server could bypass allowed paths in wildcard `redirect_uri` configurations, potentially leading to access token theft. This affects Red Hat Build of Keycloak (RHBK) versions rhbk-26.2 and rhbk-26.4. Red Hat Build of Keycloak (RHBK) version rhbk-26 is not affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Keycloak 26.2.15"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-3872"
        },
        {
          "category": "external",
          "summary": "RHBZ#2445988",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445988"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-3872",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-3872"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3872",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3872"
        }
      ],
      "release_date": "2026-04-02T12:30:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-02T13:53:32+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.15"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6475"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, avoid using wildcards in `redirect_uri` configurations within Keycloak. Restricting `redirect_uri` to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.15"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Keycloak 26.2.15"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "keycloak: Keycloak: Information disclosure due to redirect_uri validation bypass"
    },
    {
      "cve": "CVE-2026-4282",
      "cwe": {
        "id": "CWE-653",
        "name": "Improper Isolation or Compartmentalization"
      },
      "discovery_date": "2026-03-16T15:53:57.767000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2448061"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "keycloak: Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an IMPORTANT vulnerability in Keycloak. An unauthenticated attacker can exploit a lack of type and namespace isolation in Keycloak\u0027s SingleUseObjectProvider to forge authorization codes and obtain admin-capable access tokens. This could lead to unauthorized administrative access within affected Keycloak deployments.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Keycloak 26.2.15"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-4282"
        },
        {
          "category": "external",
          "summary": "RHBZ#2448061",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448061"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-4282",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-4282"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4282",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4282"
        }
      ],
      "release_date": "2026-04-02T12:30:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-02T13:53:32+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.15"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6475"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.15"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Keycloak 26.2.15"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "keycloak: Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Ng\u1ecdc Chung Kim"
          ]
        }
      ],
      "cve": "CVE-2026-4325",
      "cwe": {
        "id": "CWE-653",
        "name": "Improper Isolation or Compartmentalization"
      },
      "discovery_date": "2026-03-17T12:43:09.194000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2448351"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "keycloak: Keycloak: Replay of action tokens via improper handling of single-use entries",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw in Keycloak\u0027s SingleUseObjectProvider has a MODERATE impact. It allows an attacker to delete arbitrary single-use entries, which could lead to the replay of consumed action tokens such as password reset links. Exploitation requires high attack complexity and user interaction.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Keycloak 26.2.15"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-4325"
        },
        {
          "category": "external",
          "summary": "RHBZ#2448351",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448351"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-4325",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-4325"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4325",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4325"
        }
      ],
      "release_date": "2026-04-02T12:30:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-02T13:53:32+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.15"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6475"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.15"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Keycloak 26.2.15"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "keycloak: Keycloak: Replay of action tokens via improper handling of single-use entries"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Slvrqn"
          ]
        }
      ],
      "cve": "CVE-2026-4634",
      "cwe": {
        "id": "CWE-1050",
        "name": "Excessive Platform Resource Consumption within a Loop"
      },
      "discovery_date": "2026-03-23T08:40:02.817000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2450250"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "keycloak: Keycloak: Denial of Service via excessive processing of OpenID Connect scope parameters",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important denial of service vulnerability in Red Hat Build of Keycloak (RHBK). An unauthenticated attacker can exploit this flaw by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect token endpoint, leading to high resource consumption and prolonged processing times on the Keycloak server.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Keycloak 26.2.15"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-4634"
        },
        {
          "category": "external",
          "summary": "RHBZ#2450250",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450250"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-4634",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-4634"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4634",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4634"
        }
      ],
      "release_date": "2026-04-02T12:30:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-02T13:53:32+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.15"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6475"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.15"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Keycloak 26.2.15"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "keycloak: Keycloak: Denial of Service via excessive processing of OpenID Connect scope parameters"
    },
    {
      "cve": "CVE-2026-4636",
      "cwe": {
        "id": "CWE-551",
        "name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
      },
      "discovery_date": "2026-03-23T08:15:12.427000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2450251"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "keycloak: Keycloak: UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This Important vulnerability in Keycloak allows an authenticated user with the `uma_protection` role to bypass User-Managed Access (UMA) policy validation. Exploitation requires that victim users have created UMA-protected resources with `ownerManagedAccess` enabled and that authorization services are enabled on the client. This flaw enables an attacker to gain unauthorized permissions to victim-owned resources within Red Hat Build of Keycloak.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Keycloak 26.2.15"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-4636"
        },
        {
          "category": "external",
          "summary": "RHBZ#2450251",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450251"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-4636",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-4636"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4636",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4636"
        }
      ],
      "release_date": "2026-04-02T12:30:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-02T13:53:32+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.15"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6475"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.15"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Keycloak 26.2.15"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "keycloak: Keycloak: UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources."
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.