CVE-2026-4636 Overview
A critical authorization bypass vulnerability has been discovered in Keycloak's User-Managed Access (UMA) implementation. An authenticated user with the uma_protection role can circumvent UMA policy validation, allowing them to manipulate resource identifiers during policy creation requests. This flaw enables attackers to reference resources owned by other users in their policies, even when the request URL specifies an attacker-owned resource. As a result, attackers can obtain unauthorized permissions to victim-owned resources, acquire Requesting Party Tokens (RPT), and access sensitive information or perform unauthorized actions.
Critical Impact
Authenticated attackers can bypass UMA policy validation to gain unauthorized access to resources owned by other users, potentially exposing sensitive data and enabling privilege escalation across Keycloak-protected applications.
Affected Products
- Keycloak (all versions prior to security patches)
- Red Hat Single Sign-On (affected versions addressed in RHSA-2026:6475 through RHSA-2026:6478)
- Products using Keycloak UMA authorization services
Discovery Timeline
- April 2, 2026 - CVE-2026-4636 published to NVD
- April 2, 2026 - Last updated in NVD database
Technical Details for CVE-2026-4636
Vulnerability Analysis
This vulnerability is classified under CWE-551 (Incorrect Behavior Order: Authorization Before Parsing and Canonicalization). The flaw resides in Keycloak's handling of UMA policy creation requests, where the authorization check occurs before proper validation of resource ownership. When an authenticated user with the uma_protection role submits a policy creation request, the system fails to verify that the resource identifiers specified in the request body actually belong to the requesting user.
The attack exploits a disconnect between the URL path (which specifies the attacker's own resource) and the request body (which can contain resource identifiers belonging to other users). This authorization bypass allows the attacker to associate their policies with victim-owned resources, effectively granting themselves access to those resources through the UMA permission system.
Root Cause
The root cause lies in insufficient validation during the UMA policy creation workflow. Specifically, Keycloak does not adequately verify that all resource identifiers included in a policy creation request are owned by the requesting party. The system incorrectly trusts that if the URL path references an attacker-owned resource, then all resource identifiers in the request body must also be legitimate. This assumption creates a security gap that allows resource identifier injection.
Attack Vector
The attack is network-based and can be executed by any authenticated user who possesses the uma_protection role. The attacker crafts a malicious policy creation request where:
- The URL path references a resource legitimately owned by the attacker
- The request body includes resource identifiers belonging to victim users
- The server processes the request without proper ownership validation
- The attacker's policy is applied to victim resources
Once the policy is created, the attacker can request a Requesting Party Token (RPT) that grants access to the victim's resources. This token can then be used to access sensitive data or perform unauthorized operations on those resources.
Detection Methods for CVE-2026-4636
Indicators of Compromise
- Unusual UMA policy creation activity from users with uma_protection role
- Policies referencing resources not owned by the policy creator
- Unexpected RPT token requests for cross-user resources
- Anomalous access patterns to UMA-protected resources
Detection Strategies
- Audit Keycloak access logs for policy creation requests containing resource IDs not belonging to the authenticated user
- Monitor for elevated RPT token issuance rates or unusual token request patterns
- Implement logging of UMA policy associations to detect unauthorized resource bindings
- Review authorization decisions for signs of policy-based access to resources by non-owners
Monitoring Recommendations
- Enable detailed logging for UMA policy management endpoints
- Configure alerts for policy creation events involving cross-user resource references
- Implement regular audits of UMA policies to identify orphaned or suspicious policy-resource associations
- Monitor Keycloak authorization events for anomalous access patterns to protected resources
How to Mitigate CVE-2026-4636
Immediate Actions Required
- Apply the latest security patches from Red Hat as referenced in the security advisories
- Review existing UMA policies for unauthorized resource associations
- Audit users with the uma_protection role and restrict this privilege to only necessary accounts
- Monitor UMA policy creation activity while awaiting patch deployment
Patch Information
Red Hat has released security advisories addressing this vulnerability. Organizations should apply the patches from the following advisories:
- Red Hat Security Advisory RHSA-2026:6475
- Red Hat Security Advisory RHSA-2026:6476
- Red Hat Security Advisory RHSA-2026:6477
- Red Hat Security Advisory RHSA-2026:6478
For detailed CVE information, refer to the Red Hat CVE Details for CVE-2026-4636 and Red Hat Bug Report #2450251.
Workarounds
- Restrict the uma_protection role to only highly trusted administrative accounts until patches are applied
- Implement additional authorization checks at the application layer before trusting RPT tokens
- Consider temporarily disabling UMA policy creation functionality if it is not business-critical
- Deploy network-level controls to limit access to Keycloak administration endpoints
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
