Keycloak Improper Access Control Vulnerability in User-Managed Access Resource Set Endpoint

Vulnerability

An improper access control vulnerability has been identified in Keycloak's User-Managed Access (UMA) resource_set endpoint. This flaw allows authenticated attackers to bypass the allowRemoteResourceManagement=false restriction, enabling unauthorized modifications of protected resources. The issue arises from incomplete enforcement of access control checks on PUT operations to the resource_set endpoint, impacting data integrity.

Impact

Exploitation of this vulnerability allows authenticated users to make unauthorized changes to protected resources, thereby compromising data integrity.

Added: Mar 23, 2026, 9:19 AM

Updated: Mar 23, 2026, 9:19 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

5.4

remediation

0.0

relevance

4.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

5.4

remediation

0.0

relevance

4.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Keycloak Improper Access Control Vulnerability in User-Managed Access Resource Set Endpoint

Vulnerability

Impact

Affected Products

Red Hat Build of Keycloak

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating