Cyber Resilience

CVE-2026-4636

HighPublic PoCUpdated

Published: 02 April 2026

Published
02 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0034 25.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4636 is a high-severity Incorrect Behavior Order: Authorization Before Parsing and Canonicalization (CWE-551) vulnerability in Redhat Build Of Keycloak. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4636 is a vulnerability in Keycloak that allows an authenticated user with the uma_protection role to bypass User-Managed Access (UMA) policy validation. Specifically, the flaw enables the attacker to include resource identifiers owned by other users in a policy creation request, despite the URL path referencing an attacker-owned resource. This issue is associated with CWE-551 (Incorrect Behavior Order: Early Validation) and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts accessible over the network with low privileges required.

An attacker with an authenticated account possessing the uma_protection role can exploit this vulnerability remotely without user interaction. By crafting a policy creation request that mixes victim-owned resource identifiers with an attacker-controlled resource path, the attacker bypasses validation and gains unauthorized permissions over the victim's resources. This escalation allows the attacker to obtain a Requesting Party Token (RPT), enabling access to sensitive information or execution of unauthorized actions on those resources.

Red Hat has addressed this vulnerability through multiple errata releases, including RHSA-2026:6475, RHSA-2026:6476, RHSA-2026:6477, and RHSA-2026:6478, which provide patches for affected Keycloak deployments. Additional details are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-4636. Security practitioners should apply these updates promptly to mitigate the risk.

EU & UK References

Vulnerability details

A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the…

more

URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is an authorization bypass in Keycloak's UMA policy validation (due to early validation flaw) that allows an authenticated user with limited role to gain unauthorized access to other users' resources and obtain RPT tokens. This directly enables exploitation of the software vulnerability to escalate privileges beyond the attacker's assigned role.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-9795Same product: Redhat Build Of Keycloak
CVE-2026-4282Same product: Redhat Build Of Keycloak
CVE-2026-7307Same product: Redhat Build Of Keycloak
CVE-2026-7507Same product: Redhat Build Of Keycloak
CVE-2026-7504Same product: Redhat Build Of Keycloak
CVE-2026-3872Same product: Redhat Build Of Keycloak
CVE-2026-7571Same product: Redhat Build Of Keycloak
CVE-2026-4634Same product: Redhat Build Of Keycloak
CVE-2026-3047Same product: Redhat Build Of Keycloak
CVE-2026-3121Same product: Redhat Build Of Keycloak

Affected Assets

redhat
build of keycloak
26.2, 26.2.15, 26.4, 26.4.11, all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely application of vendor patches such as RHSA-2026:6475 to RHSA-2026:6478 that fix the UMA policy validation bypass in Keycloak.

prevent

Enforces approved authorizations in Keycloak to prevent authenticated users from creating policies that include unauthorized victim-owned resource identifiers.

prevent

Requires validation of resource identifiers in policy creation requests to ensure ownership matches the URL path, addressing the CWE-551 early validation flaw.

References