CVE-2026-4636: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization in Red Hat Red Hat build of Keycloak 26.2
CVE-2026-4636 is a high-severity vulnerability in Red Hat build of Keycloak 26. 2 where an authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This flaw allows the attacker to include resource identifiers owned by other users in policy creation requests, gaining unauthorized permissions to victim-owned resources. Consequently, the attacker can obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions. Red Hat has released updated packages (Keycloak 26. 2. 15) addressing this issue. Users are advised to back up their installations and apply the update promptly.
AI Analysis
Technical Summary
The vulnerability in Red Hat build of Keycloak 26.2 (CVE-2026-4636) arises from incorrect ordering of authorization checks before parsing and canonicalization in UMA policy validation. An authenticated user with the uma_protection role can bypass these validations to create policies referencing resources owned by other users, despite the URL path indicating attacker-owned resources. This leads to unauthorized access by obtaining a Requesting Party Token (RPT) for victim-owned resources. Red Hat has acknowledged this issue and released Keycloak 26.2.15 packages and container images that fix this vulnerability along with other security issues.
Potential Impact
Exploitation of this vulnerability allows an authenticated user with the uma_protection role to bypass UMA policy validation and gain unauthorized access to resources owned by other users. This results in confidentiality breaches and unauthorized actions on victim-owned resources. The CVSS v3.1 base score is 8.1 (High), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality and integrity. There are no known exploits in the wild at the time of publication.
Mitigation Recommendations
Red Hat has released fixed packages for Red Hat build of Keycloak version 26.2.15 that address CVE-2026-4636 along with other vulnerabilities. Users should back up their existing installations, including all applications, configuration files, and databases, before applying the update. The update is available through the Red Hat Customer Portal. Applying this official update is the recommended remediation. No alternative mitigations or workarounds are specified in the advisory.
CVE-2026-4636: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization in Red Hat Red Hat build of Keycloak 26.2
Description
CVE-2026-4636 is a high-severity vulnerability in Red Hat build of Keycloak 26. 2 where an authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This flaw allows the attacker to include resource identifiers owned by other users in policy creation requests, gaining unauthorized permissions to victim-owned resources. Consequently, the attacker can obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions. Red Hat has released updated packages (Keycloak 26. 2. 15) addressing this issue. Users are advised to back up their installations and apply the update promptly.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Red Hat build of Keycloak 26.2 (CVE-2026-4636) arises from incorrect ordering of authorization checks before parsing and canonicalization in UMA policy validation. An authenticated user with the uma_protection role can bypass these validations to create policies referencing resources owned by other users, despite the URL path indicating attacker-owned resources. This leads to unauthorized access by obtaining a Requesting Party Token (RPT) for victim-owned resources. Red Hat has acknowledged this issue and released Keycloak 26.2.15 packages and container images that fix this vulnerability along with other security issues.
Potential Impact
Exploitation of this vulnerability allows an authenticated user with the uma_protection role to bypass UMA policy validation and gain unauthorized access to resources owned by other users. This results in confidentiality breaches and unauthorized actions on victim-owned resources. The CVSS v3.1 base score is 8.1 (High), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality and integrity. There are no known exploits in the wild at the time of publication.
Mitigation Recommendations
Red Hat has released fixed packages for Red Hat build of Keycloak version 26.2.15 that address CVE-2026-4636 along with other vulnerabilities. Users should back up their existing installations, including all applications, configuration files, and databases, before applying the update. The update is available through the Red Hat Customer Portal. Applying this official update is the recommended remediation. No alternative mitigations or workarounds are specified in the advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-03-23T08:51:40.787Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69ce6a44e6bfc5ba1dd993b3
Added to database: 4/2/2026, 1:08:20 PM
Last enriched: 4/10/2026, 12:03:50 AM
Last updated: 5/20/2026, 8:51:20 PM
Views: 117
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.