Platform
java
Component
org.keycloak:keycloak-services
Fixed in
26.5.7
CVE-2026-4636 is a security vulnerability discovered in Keycloak Services. This flaw allows an authenticated user with the uma_protection role to bypass User-Managed Access (UMA) policy validation, potentially leading to unauthorized access to sensitive data and actions. The vulnerability impacts Keycloak versions 9.0.3 and earlier, and a fix is available in version 26.5.7.
The core impact of CVE-2026-4636 lies in the ability to circumvent UMA policies. An attacker, already authenticated and possessing the uma_protection role, can craft malicious requests that include resource identifiers belonging to other users. This manipulation allows the attacker to obtain a Requesting Party Token (RPT) for resources they should not have access to. The attacker can then leverage this RPT to access sensitive information or perform unauthorized actions on behalf of the victim user. This effectively grants the attacker privilege escalation within the Keycloak environment, potentially compromising the entire system if the victim user has elevated permissions. The blast radius extends to any resource protected by UMA policies, and any user whose resources are targeted by the attacker.
CVE-2026-4636 was publicly disclosed on April 2, 2026. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature suggests a moderate probability of exploitation (medium EPSS score) once a PoC is released. Attackers targeting Keycloak deployments should be considered a potential threat.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4636 is to upgrade Keycloak Services to version 26.5.7 or later. If immediate upgrade is not feasible, consider implementing stricter access controls to limit the number of users with the uma_protection role. Review existing UMA policies to ensure they are properly configured and do not inadvertently grant excessive permissions. Implement a Web Application Firewall (WAF) with rules to detect and block requests attempting to manipulate resource identifiers within UMA policy creation requests. Monitor Keycloak logs for suspicious activity, particularly requests involving resource identifiers from different users. After upgrading, confirm the fix by attempting to create a UMA policy with a resource identifier belonging to a different user and verifying that the request is rejected.
Update Keycloak to the latest available version that contains the fix for this vulnerability. Refer to Red Hat security advisories (RHSA-2026:6475, RHSA-2026:6476, RHSA-2026:6477) for more details and specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4636 is a HIGH severity vulnerability in Keycloak Services affecting versions ≤9.0.3. It allows an authenticated user to bypass UMA policies, potentially granting unauthorized access to resources.
If you are running Keycloak Services version 9.0.3 or earlier, you are potentially affected by this vulnerability. Upgrade to 26.5.7 to mitigate the risk.
The recommended fix is to upgrade Keycloak Services to version 26.5.7 or later. Consider stricter access controls and WAF rules as interim mitigations.
While there are no confirmed reports of active exploitation at this time, the vulnerability's nature suggests a potential for exploitation once a public proof-of-concept is available.
Refer to the official Keycloak security advisory for detailed information and updates: [https://www.keycloak.org/security/advisories](https://www.keycloak.org/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.