MEDIUM 6.5 Maven
Keycloak Vulnerable to Improper Handling of Insufficient Permissions or Privilege
GHSA-33j3-g875-37rp · CVE-2026-9792
Published · Modified
Description
A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-9792
- WEB https://github.com/keycloak/keycloak/issues/49436
- WEB https://github.com/keycloak/keycloak/pull/49636
- WEB https://github.com/keycloak/keycloak/pull/49637
- WEB https://github.com/keycloak/keycloak/commit/13622ee0ffed91fd07ef444be2c858a7f356766d
- WEB https://github.com/keycloak/keycloak/commit/2af73c16a4e49333779bb34bce65461d9af036a4
- WEB https://github.com/keycloak/keycloak/commit/af5e3e8c60842bc1f3a78e6be414fe303f93163d
- WEB https://access.redhat.com/errata/RHSA-2026:25097
- WEB https://access.redhat.com/errata/RHSA-2026:25098
- WEB https://access.redhat.com/errata/RHSA-2026:30049
- WEB https://access.redhat.com/errata/RHSA-2026:30050
- WEB https://access.redhat.com/security/cve/CVE-2026-9792
- WEB https://bugzilla.redhat.com/show_bug.cgi?id=2482459
- PACKAGE https://github.com/keycloak/keycloak
Ready to move
Start Securing
Free, no credit card | First findings in minutes