{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/policy-bypass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4636"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["keycloak","uma","policy-bypass","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability, identified as CVE-2026-4636, has been discovered in Keycloak, a popular open-source identity and access management solution. This flaw allows an authenticated user who possesses the \u003ccode\u003euma_protection\u003c/code\u003e role to bypass User-Managed Access (UMA) policy validation. By exploiting this vulnerability, an attacker can manipulate policy creation requests to include resource identifiers that belong to other users. This circumvents the intended access controls and enables the attacker to gain unauthorized permissions to resources owned by victims. The scope of the attack is limited to Keycloak instances where UMA is enabled and users have the \u003ccode\u003euma_protection\u003c/code\u003e role. This can lead to significant data breaches and unauthorized actions performed under the guise of legitimate users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to Keycloak with an account that has the \u003ccode\u003euma_protection\u003c/code\u003e role.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a request to create a new UMA policy.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the policy creation request to include resource identifiers that belong to other users. This is done even though the URL path in the request specifies a resource owned by the attacker.\u003c/li\u003e\n\u003cli\u003eThe UMA policy validation mechanism fails to properly verify the ownership of the included resource identifiers.\u003c/li\u003e\n\u003cli\u003eKeycloak creates the UMA policy, granting the attacker unauthorized permissions to the victim-owned resources.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a Requesting Party Token (RPT) for the victim\u0026rsquo;s resources using the newly created policy.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RPT to access the victim\u0026rsquo;s resources, potentially accessing sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions on the victim\u0026rsquo;s resources, leveraging the gained permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4636 allows an attacker to gain unauthorized access to resources managed by Keycloak. This can lead to the exposure of sensitive data, such as personal information, financial records, or confidential business documents. The number of affected users depends on the scope of the attacker\u0026rsquo;s access and the number of resources they can compromise. The impact could range from individual account compromise to widespread data breaches affecting entire organizations relying on Keycloak for access control.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Keycloak that resolves CVE-2026-4636 as soon as it becomes available.\u003c/li\u003e\n\u003cli\u003eMonitor Keycloak logs for suspicious UMA policy creation requests that include resource identifiers not owned by the requesting user. Create a Sigma rule based on webserver logs and filter for POST requests on \u003ccode\u003e/auth/realms/\u0026lt;realm\u0026gt;/authz/protection/uma-policy/\u003c/code\u003e with suspicious resource IDs in the body.\u003c/li\u003e\n\u003cli\u003eImplement additional access controls and validation mechanisms to verify the ownership of resource identifiers during UMA policy creation.\u003c/li\u003e\n\u003cli\u003eReview existing UMA policies to identify and remove any policies that may have been created maliciously using this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:16:27Z","date_published":"2026-04-02T13:16:27Z","id":"/briefs/2026-04-keycloak-uma-bypass/","summary":"CVE-2026-4636 describes a vulnerability in Keycloak where an authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation, leading to unauthorized access to victim-owned resources.","title":"Keycloak UMA Policy Bypass Vulnerability (CVE-2026-4636)","url":"https://feed.craftedsignal.io/briefs/2026-04-keycloak-uma-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["heimdall"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","policy-bypass","access-control"],"_cs_type":"advisory","_cs_vendors":["dadrus"],"content_html":"\u003cp\u003eHeimdall, a Go-based access management system, is susceptible to a case-sensitivity vulnerability in its host matching mechanism. HTTP hostnames are case-insensitive, but Heimdall performs host matching in a case-sensitive manner. Discovered and reported in April 2026, this discrepancy can result in Heimdall failing to match a rule for a request host that differs only in letter casing. Version 0.16.0 and later enforce secure defaults and refuse to start with an \u0026ldquo;allow all\u0026rdquo; configuration unless explicitly disabled using flags like \u003ccode\u003e--insecure-skip-secure-default-rule-enforcement\u003c/code\u003e or \u003ccode\u003e--insecure\u003c/code\u003e. The vulnerability affects Heimdall versions prior to 0.17.14 and can be exploited if rule matching relies on the request host, potentially leading to unintended access control bypass.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Heimdall instance with host-based access control rules.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a specific rule where the host is used for access control (e.g., \u003ccode\u003eadmin.example.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request with a \u003ccode\u003eHost\u003c/code\u003e header that differs only in casing (e.g., \u003ccode\u003eAdmin.Example.Com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHeimdall fails to match the intended rule due to the case-sensitive comparison.\u003c/li\u003e\n\u003cli\u003eIf no default rule is configured, Heimdall returns a \u0026ldquo;404 Not Found\u0026rdquo; error.\u003c/li\u003e\n\u003cli\u003eIf a permissive default rule is configured (e.g., allowing anonymous access, which is discouraged since v0.16.0), Heimdall executes this default rule.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to resources or functionality that should be protected by the intended rule.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the gained access to modify data, invoke functionality, or escalate privileges depending on the exposed functionality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eBypassing access control policies enforced by Heimdall can lead to unauthorized access to sensitive data, modification of critical information, or invocation of restricted functionality. Depending on the exposed functionality, this could also lead to privilege escalation. The severity of the impact depends heavily on the misconfiguration of Heimdall\u0026rsquo;s rules, particularly the presence of overly permissive default rules. Successful exploitation can compromise the confidentiality, integrity, and availability of the protected application or service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eNormalize request hosts to lowercase in layers in front of Heimdall to mitigate the case sensitivity issue.\u003c/li\u003e\n\u003cli\u003eAvoid configuring permissive default rules. Remove or disable the \u003ccode\u003e--insecure\u003c/code\u003e or \u003ccode\u003e--insecure-skip-secure-default-rule-enforcement\u003c/code\u003e flags.\u003c/li\u003e\n\u003cli\u003eWhen using the \u003ccode\u003eregex\u003c/code\u003e type for host matching, define expressions in a case-insensitive manner (e.g., \u003ccode\u003e(?i)^admin\\.example\\.com$\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eUpgrade to Heimdall version 0.17.14 or later to patch the vulnerability directly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-heimdall-case-sensitivity/","summary":"Heimdall performs case-sensitive host matching, which can lead to policy bypass because HTTP hostnames are case-insensitive, potentially leading to unauthorized access, data modification, or privilege escalation if the request host is part of the rule.","title":"Heimdall Host Matching Case-Sensitivity Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-heimdall-case-sensitivity/"}],"language":"en","title":"CraftedSignal Threat Feed — Policy-Bypass","version":"https://jsonfeed.org/version/1.1"}