{"api_version":"1","generated_at":"2026-06-04T04:52:40+00:00","cve":"CVE-2026-4630","urls":{"html":"https://cve.report/CVE-2026-4630","api":"https://cve.report/api/cve/CVE-2026-4630.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-4630","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-4630"},"summary":{"title":"Keycloak: keycloak: unauthorized resource access and data modification via insecure direct object reference","description":"A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.","state":"PUBLISHED","assigner":"redhat","published_at":"2026-05-19 12:16:19","updated_at":"2026-06-03 19:53:36"},"problem_types":["CWE-639","CWE-639 Authorization Bypass Through User-Controlled Key"],"metrics":[{"version":"3.1","source":"secalert@redhat.com","type":"Secondary","score":"6.8","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"6.8","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.8,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:19596","name":"https://access.redhat.com/errata/RHSA-2026:19596","refsource":"secalert@redhat.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:19597","name":"https://access.redhat.com/errata/RHSA-2026:19597","refsource":"secalert@redhat.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450245","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2450245","refsource":"secalert@redhat.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-4630","name":"https://access.redhat.com/security/cve/CVE-2026-4630","refsource":"secalert@redhat.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-4630","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4630","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","version":"unaffected 26.4.12-1 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","version":"unaffected 26.4-17 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","version":"unaffected 26.4-17 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4.12","version":"","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-03-23T08:10:40.944Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2026-04-15T12:34:00.000Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"4630","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"build_of_keycloak","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"4630","cve":"CVE-2026-4630","epss":"0.000110000","percentile":"0.014310000","score_date":"2026-06-03","updated_at":"2026-06-04 00:06:34"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-4630","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-05-19T16:33:12.614371Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-19T16:33:22.235Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"affected","packageName":"rhbk/keycloak-operator-bundle","product":"Red Hat build of Keycloak 26.4","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"26.4.12-1","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"affected","packageName":"rhbk/keycloak-rhel9","product":"Red Hat build of Keycloak 26.4","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"26.4-17","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"affected","packageName":"rhbk/keycloak-rhel9-operator","product":"Red Hat build of Keycloak 26.4","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"26.4-17","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"unaffected","packageName":"rhbk/keycloak-rhel9","product":"Red Hat build of Keycloak 26.4.12","vendor":"Red Hat"}],"datePublic":"2026-04-15T12:34:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Moderate"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.8,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-639","description":"Authorization Bypass Through User-Controlled Key","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-20T16:08:47.221Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"name":"RHSA-2026:19596","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:19596"},{"name":"RHSA-2026:19597","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:19597"},{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-4630"},{"name":"RHBZ#2450245","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450245"}],"timeline":[{"lang":"en","time":"2026-03-23T08:10:40.944Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-15T12:34:00.000Z","value":"Made public."}],"title":"Keycloak: keycloak: unauthorized resource access and data modification via insecure direct object reference","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-639: Authorization Bypass Through User-Controlled Key"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2026-4630","datePublished":"2026-05-19T10:28:15.936Z","dateReserved":"2026-03-23T08:12:45.479Z","dateUpdated":"2026-05-20T16:08:47.221Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-19 12:16:19","lastModifiedDate":"2026-06-03 19:53:36","problem_types":["CWE-639","CWE-639 Authorization Bypass Through User-Controlled Key"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":5.2}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*","versionStartIncluding":"26.4","versionEndExcluding":"26.4.12","matchCriteriaId":"E71FD53F-2C05-4B84-9BEE-BB287017B322"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"4630","Ordinal":"1","Title":"Keycloak: keycloak: unauthorized resource access and data modifi","CVE":"CVE-2026-4630","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"4630","Ordinal":"1","NoteData":"A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.","Type":"Description","Title":"Keycloak: keycloak: unauthorized resource access and data modifi"}]}}}