CVE-2026-4628 in Keycloak
Summary
by MITRE • 03/23/2026
A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/01/2026
The vulnerability identified as CVE-2026-4628 represents a critical improper access control flaw within the Keycloak identity and access management platform. This issue specifically affects the User-Managed Access (UMA) functionality, which is designed to provide fine-grained access control for resources managed by users themselves. The vulnerability stems from inadequate enforcement of access control mechanisms when processing PUT operations to the resource_set endpoint, creating a significant security gap in the platform's authorization framework.
The technical flaw manifests when the allowRemoteResourceManagement=false configuration is set, which should prevent remote management of resources by unauthorized parties. However, attackers with valid credentials can exploit this vulnerability to bypass this restriction entirely. The incomplete enforcement of access control checks on PUT operations means that legitimate access controls are not properly validated during resource modification requests, allowing malicious actors to manipulate protected resources regardless of their authorization status. This vulnerability operates at the intersection of CWE-285, which addresses improper authorization, and CWE-345, concerning insufficient verification of data integrity.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it directly compromises data integrity within the Keycloak environment. When attackers can modify protected resources through the resource_set endpoint, they potentially gain the ability to alter access policies, modify resource metadata, or even redirect resource access to unauthorized parties. This creates cascading security implications for organizations relying on Keycloak for identity management, as compromised resources can lead to broader system infiltration. The vulnerability affects the core UMA functionality that enables users to manage their own resource access, making it particularly dangerous for environments where user self-management is enabled.
Organizations implementing Keycloak should immediately review their UMA configurations and ensure that the allowRemoteResourceManagement setting is properly enforced across all environments. The recommended mitigations include implementing additional access control layers, conducting thorough security audits of UMA endpoints, and ensuring that all PUT operations to resource_set endpoints undergo comprehensive authorization verification. From an ATT&CK framework perspective, this vulnerability maps to T1078.004, which addresses valid accounts with elevated privileges, and T1566, concerning credential harvesting. Security teams should also consider implementing network segmentation and monitoring for unusual PUT operations to the resource_set endpoint, as these activities may indicate exploitation attempts. The vulnerability underscores the critical importance of proper access control implementation in identity management systems, where even minor configuration flaws can result in significant security breaches.