Vulnerability Details CVE-2026-4628
A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 8.3%
CVSS Severity
CVSS v3 Score 4.3
References
Products affected by CVE-2026-4628
-
cpe:2.3:a:redhat:build_of_keycloak:-