CVE-2026-4630
6.8 MEDIUMA flaw was found in Keycloak
Published: 2026-05-19 · Last updated: 2026-06-03
Severity and scoring
- CVSS
- 6.8 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-639
Affected products
| Vendor | Product |
|---|---|
| redhat | build_of_keycloak |
Description
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-4630
- [Vendor advisory]https://access.redhat.com/errata/RHSA-2026:19596
- [Vendor advisory]https://access.redhat.com/errata/RHSA-2026:19597
- [Vendor advisory]https://access.redhat.com/security/cve/CVE-2026-4630
- [Vendor advisory]https://bugzilla.redhat.com/show_bug.cgi?id=2450245
Related CVEs
Same vendor
- CVE-2026-1767 — A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component (5.6 MEDIUM)
- CVE-2026-1766 — A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 com... (5.6 MEDIUM)
- CVE-2026-11793 — A stack buffer overflow flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11790 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11789 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
Same CWE
- CVE-2026-53863 — OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs (7.1 HIGH)
- CVE-2026-10780 — The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2 (4.3 MEDIUM)
- CVE-2026-48599 — Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify res...
- CVE-2026-52699 — Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions (7.5 HIGH)
- CVE-2026-48872 — Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions (7.5 HIGH)