CVE-2026-4630 Red Hat CVE debrief

Who should care

Administrators and security teams operating Keycloak deployments that use Authorization Services, especially environments where authenticated clients can interact with the Protection API and Resource Server identifiers may be exposed or guessable.

Technical summary

The issue is described as an IDOR (CWE-639) in the Authorization Services Protection API endpoint. Instead of enforcing object-level authorization for each resource request, the endpoint can be bypassed when an attacker has a valid resource UUID belonging to a different Resource Server in the same realm. The reported impact includes unauthorized read, update, and delete operations.

Defensive priority

High for affected Keycloak Authorization Services deployments; prioritize validation and patching because the flaw can expose or alter protected resources after authentication.

Recommended defensive actions

• Review Red Hat and NVD advisories for affected Keycloak releases and apply the vendor fix when available.
• Restrict access to Authorization Services Protection API endpoints to only the clients that truly require it.
• Audit object-level authorization logic to ensure resource UUIDs cannot be used to bypass ownership or server-bound checks.
• Review logs for unexpected GET, PUT, or DELETE activity against protected resources, especially from authenticated clients.
• Inventory realms and resource servers that share Authorization Services so you can identify where UUID exposure could matter.

Evidence notes

All facts in this debrief are drawn from the supplied NVD record and its listed references. The NVD entry classifies the issue as vulnerable status 'Received,' cites Red Hat security references, and lists CWE-639. The product is identified in the source description as Keycloak. No version-specific remediation details were present in the supplied corpus.

Official resources