Vulnerability-Lookup

WID-SEC-W-2026-0977

Vulnerability from csaf_certbund - Published: 2026-04-06 22:00 - Updated: 2026-06-10 22:00

Summary

Keycloak: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Keycloak ermöglicht Single Sign-On mit Identity and Access Management für moderne Anwendungen und Dienste.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Keycloak ausnutzen, um einen Denial of Service Angriff durchzuführen, um Informationen offenzulegen, um Daten zu manipulieren, und um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme: - Linux - UNIX

CVE-2026-1002

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Open Source Keycloak <26.5.7 Open Source / Keycloak		<26.5.7
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—

CVE-2026-3872

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Open Source Keycloak <26.5.7 Open Source / Keycloak		<26.5.7
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—

CVE-2026-4282

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Open Source Keycloak <26.5.7 Open Source / Keycloak		<26.5.7
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—

CVE-2026-4325

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Open Source Keycloak <26.5.7 Open Source / Keycloak		<26.5.7
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—

CVE-2026-4634

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Open Source Keycloak <26.5.7 Open Source / Keycloak		<26.5.7
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—

CVE-2026-4636

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Open Source Keycloak <26.5.7 Open Source / Keycloak		<26.5.7
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—

References

20 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.keycloak.org/2026/04/keycloak-2657-released	external
https://github.com/keycloak/keycloak/issues/45569	external
https://github.com/keycloak/keycloak/issues/47718	external
https://github.com/advisories/GHSA-cjm2-j6cm-6p6m	external
https://github.com/keycloak/keycloak/issues/47719	external
https://github.com/advisories/GHSA-hj93-h7pg-fh6v	external
https://github.com/keycloak/keycloak/issues/47715	external
https://github.com/advisories/GHSA-rx66-hj7g-28h7	external
https://github.com/keycloak/keycloak/issues/47716	external
https://github.com/advisories/GHSA-h4wv-g838-66g3	external
https://github.com/keycloak/keycloak/issues/47717	external
https://github.com/advisories/GHSA-f2hx-5fx3-hmcv	external
https://access.redhat.com/errata/RHSA-2026:6477	external
https://access.redhat.com/errata/RHSA-2026:6475	external
https://access.redhat.com/errata/RHSA-2026:6476	external
https://access.redhat.com/errata/RHSA-2026:6478	external
https://access.redhat.com/errata/RHSA-2026:7380	external
https://access.redhat.com/errata/RHSA-2026:25089	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Keycloak erm\u00f6glicht Single Sign-On mit Identity and Access Management f\u00fcr moderne Anwendungen und Dienste.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Keycloak ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren, um Informationen offenzulegen, um Daten zu manipulieren, und um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0977 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0977.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0977 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0977"
      },
      {
        "category": "external",
        "summary": "Keycloak 26.5.7 release notes vom 2026-04-06",
        "url": "https://www.keycloak.org/2026/04/keycloak-2657-released"
      },
      {
        "category": "external",
        "summary": "Keycloak GitHub Issue 45569 vom 2026-04-06",
        "url": "https://github.com/keycloak/keycloak/issues/45569"
      },
      {
        "category": "external",
        "summary": "Keycloak GitHub Issue 47718 vom 2026-04-06",
        "url": "https://github.com/keycloak/keycloak/issues/47718"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-cjm2-j6cm-6p6m vom 2026-04-06",
        "url": "https://github.com/advisories/GHSA-cjm2-j6cm-6p6m"
      },
      {
        "category": "external",
        "summary": "Keycloak GitHub Issue 47719 vom 2026-04-06",
        "url": "https://github.com/keycloak/keycloak/issues/47719"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-hj93-h7pg-fh6v vom 2026-04-06",
        "url": "https://github.com/advisories/GHSA-hj93-h7pg-fh6v"
      },
      {
        "category": "external",
        "summary": "Keycloak GitHub Issue 47715 vom 2026-04-06",
        "url": "https://github.com/keycloak/keycloak/issues/47715"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-rx66-hj7g-28h7 vom 2026-04-06",
        "url": "https://github.com/advisories/GHSA-rx66-hj7g-28h7"
      },
      {
        "category": "external",
        "summary": "Keycloak GitHub Issue 47716 vom 2026-04-06",
        "url": "https://github.com/keycloak/keycloak/issues/47716"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-h4wv-g838-66g3 vom 2026-04-06",
        "url": "https://github.com/advisories/GHSA-h4wv-g838-66g3"
      },
      {
        "category": "external",
        "summary": "Keycloak GitHub Issue 47717 vom 2026-04-06",
        "url": "https://github.com/keycloak/keycloak/issues/47717"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-f2hx-5fx3-hmcv vom 2026-04-06",
        "url": "https://github.com/advisories/GHSA-f2hx-5fx3-hmcv"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:6477 vom 2026-04-02",
        "url": "https://access.redhat.com/errata/RHSA-2026:6477"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:6475 vom 2026-04-02",
        "url": "https://access.redhat.com/errata/RHSA-2026:6475"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:6476 vom 2026-04-02",
        "url": "https://access.redhat.com/errata/RHSA-2026:6476"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:6478 vom 2026-04-02",
        "url": "https://access.redhat.com/errata/RHSA-2026:6478"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:7380 vom 2026-04-15",
        "url": "https://access.redhat.com/errata/RHSA-2026:7380"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:25089 vom 2026-06-10",
        "url": "https://access.redhat.com/errata/RHSA-2026:25089"
      }
    ],
    "source_lang": "en-US",
    "title": "Keycloak: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-06-10T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-11T10:52:31.852+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-0977",
      "initial_release_date": "2026-04-06T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-06T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-04-14T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-06-10T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c26.5.7",
                "product": {
                  "name": "Open Source Keycloak \u003c26.5.7",
                  "product_id": "T052429"
                }
              },
              {
                "category": "product_version",
                "name": "26.5.7",
                "product": {
                  "name": "Open Source Keycloak 26.5.7",
                  "product_id": "T052429-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:keycloak:keycloak:26.5.7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Keycloak"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-1002",
      "product_status": {
        "known_affected": [
          "T052429",
          "67646"
        ]
      },
      "release_date": "2026-04-06T22:00:00.000+00:00",
      "title": "CVE-2026-1002"
    },
    {
      "cve": "CVE-2026-3872",
      "product_status": {
        "known_affected": [
          "T052429",
          "67646"
        ]
      },
      "release_date": "2026-04-06T22:00:00.000+00:00",
      "title": "CVE-2026-3872"
    },
    {
      "cve": "CVE-2026-4282",
      "product_status": {
        "known_affected": [
          "T052429",
          "67646"
        ]
      },
      "release_date": "2026-04-06T22:00:00.000+00:00",
      "title": "CVE-2026-4282"
    },
    {
      "cve": "CVE-2026-4325",
      "product_status": {
        "known_affected": [
          "T052429",
          "67646"
        ]
      },
      "release_date": "2026-04-06T22:00:00.000+00:00",
      "title": "CVE-2026-4325"
    },
    {
      "cve": "CVE-2026-4634",
      "product_status": {
        "known_affected": [
          "T052429",
          "67646"
        ]
      },
      "release_date": "2026-04-06T22:00:00.000+00:00",
      "title": "CVE-2026-4634"
    },
    {
      "cve": "CVE-2026-4636",
      "product_status": {
        "known_affected": [
          "T052429",
          "67646"
        ]
      },
      "release_date": "2026-04-06T22:00:00.000+00:00",
      "title": "CVE-2026-4636"
    }
  ]
}

CVE-2026-1002 (GCVE-0-2026-1002)

Vulnerability from cvelistv5 – Published: 2026-01-15 20:50 – Updated: 2026-01-15 21:09

Title

Eclipse Vert.x Web static handler file access denial

Summary

The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-444

Assigner

eclipse

References

2 references

URL	Tags
https://github.com/eclipse-vertx/vert.x/pull/5895	patch
https://github.com/vert-x3/vertx-web/issues/2836	exploit

Impacted products

1 product

Vendor	Product	Version
Eclipse Vert.x	Eclipse Vert.x	Affected: 4.0.0 , ≤ 4.5.23 (semver) Affected: 5.0.0 , ≤ 5.0.6 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1002",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-15T21:07:25.597990Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-15T21:09:22.172Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/vert-x3/vertx-web/issues/2836"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "io.vertx",
          "product": "Eclipse Vert.x",
          "repo": "https://github.com/eclipse-vertx/vert.x",
          "vendor": "Eclipse Vert.x",
          "versions": [
            {
              "lessThanOrEqual": "4.5.23",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.0.6",
              "status": "affected",
              "version": "5.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.\u003c/p\u003e\n\u003cp\u003eThe issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/eclipse-vertx/vert.x/pull/5895\"\u003ehttps://github.com/eclipse-vertx/vert.x/pull/5895\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003e\n\u003ca target=\"_blank\" rel=\"nofollow\"\u003e\u003c/a\u003e\u003c/h2\u003e\u003ch2\u003eSteps to reproduce\u003c/h2\u003e\n\u003cp\u003eGiven a file served by the static handler, craft an URI that introduces a string like \u003ccode\u003ebar%2F..%2F\u003c/code\u003e after the last \u003ccode\u003e/\u003c/code\u003e char to deny the access to the URI with an HTTP 404 response. For example \u003ccode\u003ehttps://example.com/foo/index.html\u003c/code\u003e can be denied with \u003ccode\u003ehttps://example.com/foo/bar%2F..%2Findex.html\u003c/code\u003e\u003c/p\u003e\u003ch2\u003eMitgation\u003c/h2\u003e\n\u003cp\u003eDisabling Static Handler cache fixes the issue.\u003c/p\u003e\n\u003cdiv\u003e\n\u003cpre\u003e\u003ccode\u003eStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.\n\n\nThe issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web):  https://github.com/eclipse-vertx/vert.x/pull/5895 \n\n\n\nSteps to reproduce\nGiven a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html\n\nMitgation\nDisabling Static Handler cache fixes the issue.\n\n\n\nStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-153",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-153 Input Data Manipulation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-15T20:50:25.642Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/eclipse-vertx/vert.x/pull/5895"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Eclipse Vert.x Web static handler file access denial",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2026-1002",
    "datePublished": "2026-01-15T20:50:25.642Z",
    "dateReserved": "2026-01-15T18:23:48.276Z",
    "dateUpdated": "2026-01-15T21:09:22.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3872 (GCVE-0-2026-3872)

Vulnerability from cvelistv5 – Published: 2026-04-02 12:37 – Updated: 2026-04-07 14:53

Title

Keycloak: keycloak: information disclosure due to redirect_uri validation bypass

Summary

A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.

Severity

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Assigner

redhat

References

6 references

URL	Tags
https://access.redhat.com/errata/RHSA-2026:6475	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6476	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6477	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6478	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-3872	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2445988	issue-trackingx_refsource_REDHAT

Impacted products

6 products

Vendor	Product	Version
Red Hat	Red Hat build of Keycloak 26.2	Unaffected: 26.2.15-1 , < * (rpm) cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.2	Unaffected: 26.2-18 , < * (rpm) cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.2.15	cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.4	Unaffected: 26.4.11-1 , < * (rpm) cpe:/a:redhat:build_keycloak:26.4::el9
Red Hat	Red Hat build of Keycloak 26.4	Unaffected: 26.4-14 , < * (rpm) cpe:/a:redhat:build_keycloak:26.4::el9
Red Hat	Red Hat build of Keycloak 26.4.11	cpe:/a:redhat:build_keycloak:26.4::el9

Date Public

2026-04-02 12:30

Credits

Red Hat would like to thank Meeranh for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3872",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-02T13:15:11.566412Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T13:15:24.946Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2.15-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2-18",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2-18",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.2.15",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4.11-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4-14",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4-14",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.4.11",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Meeranh for reporting this issue."
        }
      ],
      "datePublic": "2026-04-02T12:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T14:53:06.658Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:6475",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6475"
        },
        {
          "name": "RHSA-2026:6476",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6476"
        },
        {
          "name": "RHSA-2026:6477",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6477"
        },
        {
          "name": "RHSA-2026:6478",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6478"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-3872"
        },
        {
          "name": "RHBZ#2445988",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445988"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-10T09:16:29.034Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-04-02T12:30:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: keycloak: information disclosure due to redirect_uri validation bypass",
      "workarounds": [
        {
          "lang": "en",
          "value": "To mitigate this vulnerability, avoid using wildcards in `redirect_uri` configurations within Keycloak. Restricting `redirect_uri` to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-3872",
    "datePublished": "2026-04-02T12:37:30.633Z",
    "dateReserved": "2026-03-10T09:25:23.875Z",
    "dateUpdated": "2026-04-07T14:53:06.658Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4282 (GCVE-0-2026-4282)

Vulnerability from cvelistv5 – Published: 2026-04-02 12:44 – Updated: 2026-04-07 11:27

Title

Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw

Summary

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.

Severity

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-653 - Improper Isolation or Compartmentalization

Assigner

redhat

References

6 references

URL	Tags
https://access.redhat.com/errata/RHSA-2026:6475	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6476	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6477	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6478	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-4282	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2448061	issue-trackingx_refsource_REDHAT

Impacted products

6 products

Vendor	Product	Version
Red Hat	Red Hat build of Keycloak 26.2	Unaffected: 26.2.15-1 , < * (rpm) cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.2	Unaffected: 26.2-18 , < * (rpm) cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.2.15	cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.4	Unaffected: 26.4.11-1 , < * (rpm) cpe:/a:redhat:build_keycloak:26.4::el9
Red Hat	Red Hat build of Keycloak 26.4	Unaffected: 26.4-14 , < * (rpm) cpe:/a:redhat:build_keycloak:26.4::el9
Red Hat	Red Hat build of Keycloak 26.4.11	cpe:/a:redhat:build_keycloak:26.4::el9

Date Public

2026-04-02 12:30

Credits

Red Hat would like to thank chungkn (OneMount Group) for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4282",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-02T14:23:22.750489Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T14:24:41.770Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2.15-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2-18",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2-18",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.2.15",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4.11-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4-14",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4-14",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.4.11",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank chungkn (OneMount Group) for reporting this issue."
        }
      ],
      "datePublic": "2026-04-02T12:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-653",
              "description": "Improper Isolation or Compartmentalization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T11:27:33.522Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:6475",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6475"
        },
        {
          "name": "RHSA-2026:6476",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6476"
        },
        {
          "name": "RHSA-2026:6477",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6477"
        },
        {
          "name": "RHSA-2026:6478",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6478"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-4282"
        },
        {
          "name": "RHBZ#2448061",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448061"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-16T15:53:57.767Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-04-02T12:30:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-653: Improper Isolation or Compartmentalization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-4282",
    "datePublished": "2026-04-02T12:44:52.941Z",
    "dateReserved": "2026-03-16T15:53:24.993Z",
    "dateUpdated": "2026-04-07T11:27:33.522Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4325 (GCVE-0-2026-4325)

Vulnerability from cvelistv5 – Published: 2026-04-02 12:44 – Updated: 2026-04-07 11:27

Title

Keycloak: keycloak: replay of action tokens via improper handling of single-use entries

Summary

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-653 - Improper Isolation or Compartmentalization

Assigner

redhat

References

6 references

URL	Tags
https://access.redhat.com/errata/RHSA-2026:6475	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6476	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6477	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6478	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-4325	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2448351	issue-trackingx_refsource_REDHAT

Impacted products

6 products

Vendor	Product	Version
Red Hat	Red Hat build of Keycloak 26.2	Unaffected: 26.2.15-1 , < * (rpm) cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.2	Unaffected: 26.2-18 , < * (rpm) cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.2.15	cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.4	Unaffected: 26.4.11-1 , < * (rpm) cpe:/a:redhat:build_keycloak:26.4::el9
Red Hat	Red Hat build of Keycloak 26.4	Unaffected: 26.4-14 , < * (rpm) cpe:/a:redhat:build_keycloak:26.4::el9
Red Hat	Red Hat build of Keycloak 26.4.11	cpe:/a:redhat:build_keycloak:26.4::el9

Date Public

2026-04-02 12:30

Credits

Red Hat would like to thank chungkn (OneMount Group) for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4325",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-02T13:17:04.550488Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T13:17:48.959Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2.15-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2-18",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2-18",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.2.15",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4.11-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4-14",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4-14",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.4.11",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank chungkn (OneMount Group) for reporting this issue."
        }
      ],
      "datePublic": "2026-04-02T12:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-653",
              "description": "Improper Isolation or Compartmentalization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T11:27:36.605Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:6475",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6475"
        },
        {
          "name": "RHSA-2026:6476",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6476"
        },
        {
          "name": "RHSA-2026:6477",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6477"
        },
        {
          "name": "RHSA-2026:6478",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6478"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-4325"
        },
        {
          "name": "RHBZ#2448351",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448351"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-17T12:43:09.194Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-04-02T12:30:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: keycloak: replay of action tokens via improper handling of single-use entries",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-653: Improper Isolation or Compartmentalization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-4325",
    "datePublished": "2026-04-02T12:44:52.997Z",
    "dateReserved": "2026-03-17T12:43:33.403Z",
    "dateUpdated": "2026-04-07T11:27:36.605Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4634 (GCVE-0-2026-4634)

Vulnerability from cvelistv5 – Published: 2026-04-02 12:44 – Updated: 2026-06-09 13:56

Title

Keycloak: keycloak: denial of service via excessive processing of openid connect scope parameters

Summary

A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-1050 - Excessive Platform Resource Consumption within a Loop

Assigner

redhat

References

6 references

URL	Tags
https://access.redhat.com/errata/RHSA-2026:6475	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6476	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6477	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6478	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-4634	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2450250	issue-trackingx_refsource_REDHAT

Impacted products

6 products

Vendor	Product	Version
Red Hat	Red Hat build of Keycloak 26.2	Unaffected: 26.2.15-1 , < * (rpm) cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.2	Unaffected: 26.2-18 , < * (rpm) cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.2.15	cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.4	Unaffected: 26.4.11-1 , < * (rpm) cpe:/a:redhat:build_keycloak:26.4::el9
Red Hat	Red Hat build of Keycloak 26.4	Unaffected: 26.4-14 , < * (rpm) cpe:/a:redhat:build_keycloak:26.4::el9
Red Hat	Red Hat build of Keycloak 26.4.11	cpe:/a:redhat:build_keycloak:26.4::el9

Date Public

2026-04-02 12:30

Credits

Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4634",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-03T17:22:51.847497Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-03T17:23:00.421Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2.15-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2-18",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2-18",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.2.15",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4.11-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4-14",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4-14",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.4.11",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue."
        }
      ],
      "datePublic": "2026-04-02T12:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1050",
              "description": "Excessive Platform Resource Consumption within a Loop",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T13:56:53.134Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:6475",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6475"
        },
        {
          "name": "RHSA-2026:6476",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6476"
        },
        {
          "name": "RHSA-2026:6477",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6477"
        },
        {
          "name": "RHSA-2026:6478",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6478"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-4634"
        },
        {
          "name": "RHBZ#2450250",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450250"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-23T08:40:02.817Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-04-02T12:30:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: keycloak: denial of service via excessive processing of openid connect scope parameters",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-1050: Excessive Platform Resource Consumption within a Loop"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-4634",
    "datePublished": "2026-04-02T12:44:53.424Z",
    "dateReserved": "2026-03-23T08:41:40.650Z",
    "dateUpdated": "2026-06-09T13:56:53.134Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4636 (GCVE-0-2026-4636)

Vulnerability from cvelistv5 – Published: 2026-04-02 12:45 – Updated: 2026-06-09 13:56

Title

Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.

Summary

A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-551 - Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Assigner

redhat

References

6 references

URL	Tags
https://access.redhat.com/errata/RHSA-2026:6475	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6476	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6477	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6478	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-4636	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2450251	issue-trackingx_refsource_REDHAT

Impacted products

6 products

Vendor	Product	Version
Red Hat	Red Hat build of Keycloak 26.2	Unaffected: 26.2.15-1 , < * (rpm) cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.2	Unaffected: 26.2-18 , < * (rpm) cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.2.15	cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.4	Unaffected: 26.4.11-1 , < * (rpm) cpe:/a:redhat:build_keycloak:26.4::el9
Red Hat	Red Hat build of Keycloak 26.4	Unaffected: 26.4-14 , < * (rpm) cpe:/a:redhat:build_keycloak:26.4::el9
Red Hat	Red Hat build of Keycloak 26.4.11	cpe:/a:redhat:build_keycloak:26.4::el9

Date Public

2026-04-02 12:30

Credits

Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4636",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-02T13:13:39.068813Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T13:31:17.483Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2.15-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2-18",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2-18",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.2.15",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4.11-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4-14",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 26.4",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.4-14",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.4::el9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.4.11",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue."
        }
      ],
      "datePublic": "2026-04-02T12:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-551",
              "description": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T13:56:59.118Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:6475",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6475"
        },
        {
          "name": "RHSA-2026:6476",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6476"
        },
        {
          "name": "RHSA-2026:6477",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6477"
        },
        {
          "name": "RHSA-2026:6478",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:6478"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-4636"
        },
        {
          "name": "RHBZ#2450251",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450251"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-23T08:15:12.427Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-04-02T12:30:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-4636",
    "datePublished": "2026-04-02T12:45:01.841Z",
    "dateReserved": "2026-03-23T08:51:40.787Z",
    "dateUpdated": "2026-06-09T13:56:59.118Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0977

CVE-2026-1002 (GCVE-0-2026-1002)

CVE-2026-3872 (GCVE-0-2026-3872)

CVE-2026-4282 (GCVE-0-2026-4282)

CVE-2026-4325 (GCVE-0-2026-4325)

CVE-2026-4634 (GCVE-0-2026-4634)

CVE-2026-4636 (GCVE-0-2026-4636)

Tags

Sightings

Nomenclature