Home

Description

A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.

PUBLISHED Reserved 2026-03-23 | Published 2026-05-19 | Updated 2026-05-20 | Assigner redhat




MEDIUM: 6.8CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Problem types

Authorization Bypass Through User-Controlled Key

Product status

Default status
affected

26.4.12-1 (rpm) before *
unaffected

Default status
affected

26.4-17 (rpm) before *
unaffected

Default status
affected

26.4-17 (rpm) before *
unaffected

Default status
unaffected

Timeline

2026-03-23:Reported to Red Hat.
2026-04-15:Made public.

References

access.redhat.com/errata/RHSA-2026:19596 (RHSA-2026:19596) vendor-advisory

access.redhat.com/errata/RHSA-2026:19597 (RHSA-2026:19597) vendor-advisory

access.redhat.com/security/cve/CVE-2026-4630 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2450245 (RHBZ#2450245) issue-tracking

cve.org (CVE-2026-4630)

nvd.nist.gov (CVE-2026-4630)

Download JSON