Access Control Flaw in Keycloak's User-Managed Access Feature
CVE-2026-4628

4.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak; Red Hat Jboss Enterprise Application Platform 8; Red Hat Jboss Enterprise Application Platform Expansion Pack; Red Hat Single Sign-on 7
Vendor: CVE Published:; 23 March 2026

What is CVE-2026-4628?

An improper access control vulnerability exists in Keycloak's User-Managed Access (UMA) resource_set endpoint. This flaw allows attackers with valid credentials to bypass intended restrictions on remote resource management. Incomplete enforcement of access control checks during PUT operations to the resource_set endpoint enables unauthorized modifications to protected resources, compromising data integrity. It is crucial for system administrators to review access configurations and apply necessary updates to mitigate this risk.

References

https://access.redhat.com/security/cve/CVE-2026-4628

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2450240

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2026
Vulnerability Reserved
Mar 23, 2026

Credit

Red Hat would like to thank Evan Hendra for reporting this issue.

CVE-2026-4628 Data

JSON