CVE-2026-4636：Keycloak UMA策略绕过，权限提升

在 Red Hat Build of Keycloak 26.2 中发现了一个关键漏洞 (CVE-2026-4636)，CVSS 评分为 8.1。 此漏洞允许具有 'uma_protection' 角色的经过身份验证的用户绕过用户管理的访问 (UMA) 策略验证。攻击者可以将其他用户拥有的资源标识符包含在策略创建请求中，即使 URL 路径指定了攻击者拥有的资源。结果，攻击者获得了对受害者拥有的资源的未经授权的权限，从而可以获取请求方令牌 (RPT) 并访问敏感信息或执行未经授权的操作。此漏洞的严重性在于其可能损害数据安全和系统完整性的潜力，尤其是在使用 UMA 控制对敏感资源访问的环境中。 成功利用可能导致敏感信息泄露、数据篡改和权限提升。

Organizations heavily reliant on Keycloak for authentication and authorization, particularly those utilizing User-Managed Access (UMA) policies, are at significant risk. Environments with a large number of users granted the uma_protection role, or those with complex UMA policy configurations, should prioritize remediation. Shared hosting environments using Keycloak are also at increased risk due to the potential for cross-tenant exploitation.

• java / server:

# Check Keycloak version
java -jar keycloak.jar --version

• java / server:

# Monitor Keycloak logs for suspicious UMA policy creation requests
grep -i 'resource identifier' /path/to/keycloak/logs/keycloak.log

• generic web:

# Check for unusual UMA policy endpoints
curl -I https://your-keycloak-instance/realms/your-realm/uma/policies

1. 2026-04-02Disclosure

   disclosure

1. 已保留2026-03-23
2. 发布日期2026-04-02
3. 修改日期2026-04-04
4. EPSS 更新日期2026-04-10

针对此漏洞的建议缓解措施是升级到 Red Hat Build of Keycloak 26.5.7 或更高版本。此版本包含解决 UMA 策略验证漏洞的修复程序。建议尽快应用此更新以最大程度地降低利用风险。此外，请审查现有的 UMA 配置，以确保策略定义正确且用户角色分配安全。监控 Keycloak 日志以查找可疑活动也可以帮助检测和响应潜在的利用尝试。应遵循变更管理最佳实践来执行更新，以避免服务中断。在将更新应用于生产环境之前，建议在测试环境中进行彻底的测试。