Red Hat Keycloak contains a vulnerability in the UMA 2.0 Protection API (CVE-2026-3190). The uma_protection role check is not properly enforced, which could allow an authenticated remote attacker to enumerate permission tickets in the system.

Product: Service Virtualization (DevTest)
Component: IAM / Keycloak Integration

The issue is caused by an unspecified flaw in the Keycloak UMA 2.0 Protection API where role checks are not strictly enforced.

This vulnerability has been addressed by Keycloak. Broadcom will provide the fix in the upcoming release of DevTest 10.9.1.

Remediation Steps:
1. Plan an upgrade to DevTest 10.9.1.
2. The release is currently scheduled for availability by the end of April 2026.
3. Once released, apply the update to the IAM component of your DevTest environment to mitigate CVE-2026-3190.