{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/uma/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4636"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["keycloak","uma","policy-bypass","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability, identified as CVE-2026-4636, has been discovered in Keycloak, a popular open-source identity and access management solution. This flaw allows an authenticated user who possesses the \u003ccode\u003euma_protection\u003c/code\u003e role to bypass User-Managed Access (UMA) policy validation. By exploiting this vulnerability, an attacker can manipulate policy creation requests to include resource identifiers that belong to other users. This circumvents the intended access controls and enables the attacker to gain unauthorized permissions to resources owned by victims. The scope of the attack is limited to Keycloak instances where UMA is enabled and users have the \u003ccode\u003euma_protection\u003c/code\u003e role. This can lead to significant data breaches and unauthorized actions performed under the guise of legitimate users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to Keycloak with an account that has the \u003ccode\u003euma_protection\u003c/code\u003e role.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a request to create a new UMA policy.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the policy creation request to include resource identifiers that belong to other users. This is done even though the URL path in the request specifies a resource owned by the attacker.\u003c/li\u003e\n\u003cli\u003eThe UMA policy validation mechanism fails to properly verify the ownership of the included resource identifiers.\u003c/li\u003e\n\u003cli\u003eKeycloak creates the UMA policy, granting the attacker unauthorized permissions to the victim-owned resources.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a Requesting Party Token (RPT) for the victim\u0026rsquo;s resources using the newly created policy.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RPT to access the victim\u0026rsquo;s resources, potentially accessing sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions on the victim\u0026rsquo;s resources, leveraging the gained permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4636 allows an attacker to gain unauthorized access to resources managed by Keycloak. This can lead to the exposure of sensitive data, such as personal information, financial records, or confidential business documents. The number of affected users depends on the scope of the attacker\u0026rsquo;s access and the number of resources they can compromise. The impact could range from individual account compromise to widespread data breaches affecting entire organizations relying on Keycloak for access control.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Keycloak that resolves CVE-2026-4636 as soon as it becomes available.\u003c/li\u003e\n\u003cli\u003eMonitor Keycloak logs for suspicious UMA policy creation requests that include resource identifiers not owned by the requesting user. Create a Sigma rule based on webserver logs and filter for POST requests on \u003ccode\u003e/auth/realms/\u0026lt;realm\u0026gt;/authz/protection/uma-policy/\u003c/code\u003e with suspicious resource IDs in the body.\u003c/li\u003e\n\u003cli\u003eImplement additional access controls and validation mechanisms to verify the ownership of resource identifiers during UMA policy creation.\u003c/li\u003e\n\u003cli\u003eReview existing UMA policies to identify and remove any policies that may have been created maliciously using this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:16:27Z","date_published":"2026-04-02T13:16:27Z","id":"/briefs/2026-04-keycloak-uma-bypass/","summary":"CVE-2026-4636 describes a vulnerability in Keycloak where an authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation, leading to unauthorized access to victim-owned resources.","title":"Keycloak UMA Policy Bypass Vulnerability (CVE-2026-4636)","url":"https://feed.craftedsignal.io/briefs/2026-04-keycloak-uma-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Uma","version":"https://jsonfeed.org/version/1.1"}