https://feed.craftedsignal.io/tags/policy-bypass/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 02 Apr 2026 13:16:27 +0000https://feed.craftedsignal.io/briefs/2026-04-keycloak-uma-bypass/Thu, 02 Apr 2026 13:16:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-keycloak-uma-bypass/CVE-2026-4636 describes a vulnerability in Keycloak where an authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation, leading to unauthorized access to victim-owned resources.A vulnerability, identified as CVE-2026-4636, has been discovered in Keycloak, a popular open-source identity and access management solution. This flaw allows an authenticated user who possesses the uma_protection role to bypass User-Managed Access (UMA) policy validation. By exploiting this vulnerability, an attacker can manipulate policy creation requests to include resource identifiers that belong to other users. This circumvents the intended access controls and enables the attacker to gain unauthorized permissions to resources owned by victims. The scope of the attack is limited to Keycloak instances where UMA is enabled and users have the uma_protection role. This can lead to significant data breaches and unauthorized actions performed under the guise of legitimate users.

Attack Chain

1. An attacker authenticates to Keycloak with an account that has the uma_protection role.
2. The attacker initiates a request to create a new UMA policy.
3. The attacker crafts the policy creation request to include resource identifiers that belong to other users. This is done even though the URL path in the request specifies a resource owned by the attacker.
4. The UMA policy validation mechanism fails to properly verify the ownership of the included resource identifiers.
5. Keycloak creates the UMA policy, granting the attacker unauthorized permissions to the victim-owned resources.
6. The attacker obtains a Requesting Party Token (RPT) for the victim’s resources using the newly created policy.
7. The attacker uses the RPT to access the victim’s resources, potentially accessing sensitive information.
8. The attacker performs unauthorized actions on the victim’s resources, leveraging the gained permissions.

Impact

Successful exploitation of CVE-2026-4636 allows an attacker to gain unauthorized access to resources managed by Keycloak. This can lead to the exposure of sensitive data, such as personal information, financial records, or confidential business documents. The number of affected users depends on the scope of the attacker’s access and the number of resources they can compromise. The impact could range from individual account compromise to widespread data breaches affecting entire organizations relying on Keycloak for access control.

Recommendation

• Apply the patch or upgrade to a version of Keycloak that resolves CVE-2026-4636 as soon as it becomes available.
• Monitor Keycloak logs for suspicious UMA policy creation requests that include resource identifiers not owned by the requesting user. Create a Sigma rule based on webserver logs and filter for POST requests on /auth/realms/<realm>/authz/protection/uma-policy/ with suspicious resource IDs in the body.
• Implement additional access controls and validation mechanisms to verify the ownership of resource identifiers during UMA policy creation.
• Review existing UMA policies to identify and remove any policies that may have been created maliciously using this vulnerability.

]]>highadvisorykeycloakumapolicy-bypassprivilege-escalationhttps://feed.craftedsignal.io/briefs/2024-01-02-heimdall-case-sensitivity/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-heimdall-case-sensitivity/Heimdall performs case-sensitive host matching, which can lead to policy bypass because HTTP hostnames are case-insensitive, potentially leading to unauthorized access, data modification, or privilege escalation if the request host is part of the rule.Heimdall, a Go-based access management system, is susceptible to a case-sensitivity vulnerability in its host matching mechanism. HTTP hostnames are case-insensitive, but Heimdall performs host matching in a case-sensitive manner. Discovered and reported in April 2026, this discrepancy can result in Heimdall failing to match a rule for a request host that differs only in letter casing. Version 0.16.0 and later enforce secure defaults and refuse to start with an “allow all” configuration unless explicitly disabled using flags like --insecure-skip-secure-default-rule-enforcement or --insecure. The vulnerability affects Heimdall versions prior to 0.17.14 and can be exploited if rule matching relies on the request host, potentially leading to unintended access control bypass.

Attack Chain

1. The attacker identifies a Heimdall instance with host-based access control rules.
2. The attacker identifies a specific rule where the host is used for access control (e.g., admin.example.com).
3. The attacker crafts an HTTP request with a Host header that differs only in casing (e.g., Admin.Example.Com).
4. Heimdall fails to match the intended rule due to the case-sensitive comparison.
5. If no default rule is configured, Heimdall returns a “404 Not Found” error.
6. If a permissive default rule is configured (e.g., allowing anonymous access, which is discouraged since v0.16.0), Heimdall executes this default rule.
7. The attacker gains unauthorized access to resources or functionality that should be protected by the intended rule.
8. The attacker exploits the gained access to modify data, invoke functionality, or escalate privileges depending on the exposed functionality.

Impact

Bypassing access control policies enforced by Heimdall can lead to unauthorized access to sensitive data, modification of critical information, or invocation of restricted functionality. Depending on the exposed functionality, this could also lead to privilege escalation. The severity of the impact depends heavily on the misconfiguration of Heimdall’s rules, particularly the presence of overly permissive default rules. Successful exploitation can compromise the confidentiality, integrity, and availability of the protected application or service.

Recommendation

• Normalize request hosts to lowercase in layers in front of Heimdall to mitigate the case sensitivity issue.
• Avoid configuring permissive default rules. Remove or disable the --insecure or --insecure-skip-secure-default-rule-enforcement flags.
• When using the regex type for host matching, define expressions in a case-insensitive manner (e.g., (?i)^admin\.example\.com$).
• Upgrade to Heimdall version 0.17.14 or later to patch the vulnerability directly.

]]>highadvisorydefense-evasionpolicy-bypassaccess-control