Red Hat build of Keycloak
Moderate fix2 remedies
cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*
Moderate fix2 remedies
- >= 26.2.0, < 26.2.13
- >= 26.4.0, < 26.4.9
Keycloak Broken Access Control Vulnerability in UserManagedPermissionService
Vulnerability
Patched
A significant broken access control vulnerability has been identified in Keycloak's UserManagedPermissionService, part of the UMA Protection API. This vulnerability allows a user (Owner A) who owns one resource to update a shared policy and alter authorization rules for other resources in that policy, even if those resources are owned by a different user (Owner B). The issue arises because the authorization check only verifies ownership against the first resource in the policy's list, leading to horizontal privilege escalation.
Impact
Exploitation of this vulnerability allows for unauthorized modification of UMA policies, enabling users to change authorization rules for resources they do not own.
Remediation
Users can upgrade to the Red Hat build of Keycloak 26.2.13 or 26.4.9, both of which include the necessary fix. Instructions for downloading these versions are available on the Red Hat Customer Portal.
Added: Feb 9, 2026, 8:33 PM
Updated: Feb 10, 2026, 2:54 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
2.5exploitability
5.0remediation
7.7relevance
2.6threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.