A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the callers ownership against the first resource in the policys list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation.
Weakness
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat build of Keycloak 26.2 | RedHat | rhbk/keycloak-operator-bundle:26.2.13-1 | * |
| Red Hat build of Keycloak 26.2 | RedHat | rhbk/keycloak-rhel9:26.2-15 | * |
| Red Hat build of Keycloak 26.2 | RedHat | rhbk/keycloak-rhel9-operator:26.2-15 | * |
| Red Hat build of Keycloak 26.2.13 | RedHat | rhbk/keycloak-rhel9-operator | * |
| Red Hat build of Keycloak 26.4 | RedHat | rhbk/keycloak-operator-bundle:26.4.9-1 | * |
| Red Hat build of Keycloak 26.4 | RedHat | rhbk/keycloak-rhel9:26.4-11 | * |
| Red Hat build of Keycloak 26.4 | RedHat | rhbk/keycloak-rhel9-operator:26.4-10 | * |
| Red Hat build of Keycloak 26.4.9 | RedHat | rhbk/keycloak-rhel9-operator | * |