CVE-2026-4630

Vulnerability

An Insecure Direct Object Reference (IDOR) vulnerability exists in the Keycloak Authorization Services Protection API endpoint /realms/{realm}/authz/protection/resource_set/{id} [1][4]. The endpoint fails to validate that the requested resource UUID belongs to the calling Resource Server, allowing an authenticated client to perform GET, PUT, and DELETE operations on resources owned by another Resource Server within the same realm. The vulnerability is present in Keycloak versions prior to 26.4.12 and requires the client to have allowRemoteResourceManagement=true enabled [2][3][4].

Exploitation

An attacker must possess valid client credentials (e.g., a client secret) for any Resource Server with Authorization Services enabled in the target realm and must know or obtain the UUID of a resource belonging to another Resource Server [4]. The attacker obtains a client_credentials token and then sends HTTP requests (GET, PUT, or DELETE) to the vulnerable endpoint with the victim resource's UUID. In tested versions (e.g., 26.5.4), GET and PUT succeed; DELETE may be blocked by server-side authorization, but the same endpoint logic is flawed for all operations [4].

Impact

Successful exploitation leads to information disclosure (reading resource metadata and details) and unauthorized modification or deletion of resources owned by other Resource Servers within the same realm [1][4]. The attacker can potentially corrupt or destroy resource data, impacting confidentiality and integrity of the affected realm's resources. No privilege escalation beyond the client's own grant is required, but the scope of compromise is limited to resources within the same Keycloak realm.

Mitigation

Red Hat released fixed images and packages for Keycloak 26.4.12 on 2026-05-20 [2][3]. Administrators should update to Keycloak 26.4.12 or later. No workaround is disclosed for unpatched versions. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the advisory date.