CVE-2026-4636 - Vulnerability Analysis

Overview

Keycloak contains a broken access control vulnerability caused by improper UMA policy validation allowing authenticated users with uma_protection role to bypass access restrictions, letting attackers gain unauthorized permissions to victim-owned resources, exploit requires authenticated user with uma_protection role.

Severity & Score

Impact

Attackers can gain unauthorized access to victim-owned resources, potentially exposing sensitive information or performing unauthorized actions.

Mitigation

Update to the latest version of Keycloak containing the fix.

References

• https://access.redhat.com/errata/RHSA-2026:6477
• https://access.redhat.com/errata/RHSA-2026:6478
• https://access.redhat.com/security/cve/CVE-2026-4636
• https://bugzilla.redhat.com/show_bug.cgi?id=2450251
• https://access.redhat.com/errata/RHSA-2026:6475
• https://access.redhat.com/errata/RHSA-2026:6476

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner