{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-23T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: org.keycloak.authorization: Keycloak: Unauthorized resource modification due to improper access control",
    "id" : "2450240",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2450240"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-284",
  "details" : [ "A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.", "A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity." ],
  "statement" : "MODERATE: This flaw in Keycloak allows authenticated attackers to bypass the `allowRemoteResourceManagement=false` restriction, enabling unauthorized modification of protected resources. This impacts data integrity in Red Hat Build of Keycloak (RHBK) version rhbk-26.4. Other Red Hat products, including Enterprise Application Platform and Red Hat Single Sign-On, are not affected as the vulnerable code is not present.",
  "acknowledgement" : "Red Hat would like to thank Evan Hendra for reporting this issue.",
  "package_state" : [ {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Affected",
    "package_name" : "keycloak-services",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "keycloak-services",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "keycloak-services",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "keycloak-services",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-4628\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4628" ],
  "name" : "CVE-2026-4628",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}