Insecure Direct Object Reference Vulnerability in Keycloak by Red Hat
CVE-2026-4630

6.8MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.12
Vendor
CVE Published:
19 May 2026

What is CVE-2026-4630?

A vulnerability in Keycloak allows an authenticated client to exploit an Insecure Direct Object Reference (IDOR) in the Authorization Services Protection API endpoint. By leveraging knowledge of another Resource Server's unique identifier (UUID) within the same realm, the client can circumvent authorization checks. This exploitation enables unauthorized GET, PUT, and DELETE operations on resources, which may result in unauthorized access to sensitive information and potential modification or deletion of data.

Affected Version(s)

Red Hat build of Keycloak 26.4 26.4.12-1

Red Hat build of Keycloak 26.4 26.4-17

Red Hat build of Keycloak 26.4 26.4-17

References

https://access.redhat.com/errata/RHSA-2026:19596
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19597
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-4630
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.