CVE-2026-4636
Published: 02 April 2026
Summary
CVE-2026-4636 is a high-severity Incorrect Behavior Order: Authorization Before Parsing and Canonicalization (CWE-551) vulnerability in Redhat Build Of Keycloak. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely application of vendor patches such as RHSA-2026:6475 to RHSA-2026:6478 that fix the UMA policy validation bypass in Keycloak.
Enforces approved authorizations in Keycloak to prevent authenticated users from creating policies that include unauthorized victim-owned resource identifiers.
Requires validation of resource identifiers in policy creation requests to ensure ownership matches the URL path, addressing the CWE-551 early validation flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authorization bypass in Keycloak's UMA policy validation (due to early validation flaw) that allows an authenticated user with limited role to gain unauthorized access to other users' resources and obtain RPT tokens. This directly enables exploitation of the software vulnerability to escalate privileges beyond the attacker's assigned role.
NVD Description
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the…
more
URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.
Deeper analysisAI
CVE-2026-4636 is a vulnerability in Keycloak that allows an authenticated user with the uma_protection role to bypass User-Managed Access (UMA) policy validation. Specifically, the flaw enables the attacker to include resource identifiers owned by other users in a policy creation request, despite the URL path referencing an attacker-owned resource. This issue is associated with CWE-551 (Incorrect Behavior Order: Early Validation) and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts accessible over the network with low privileges required.
An attacker with an authenticated account possessing the uma_protection role can exploit this vulnerability remotely without user interaction. By crafting a policy creation request that mixes victim-owned resource identifiers with an attacker-controlled resource path, the attacker bypasses validation and gains unauthorized permissions over the victim's resources. This escalation allows the attacker to obtain a Requesting Party Token (RPT), enabling access to sensitive information or execution of unauthorized actions on those resources.
Red Hat has addressed this vulnerability through multiple errata releases, including RHSA-2026:6475, RHSA-2026:6476, RHSA-2026:6477, and RHSA-2026:6478, which provide patches for affected Keycloak deployments. Additional details are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-4636. Security practitioners should apply these updates promptly to mitigate the risk.
Details
- CWE(s)