Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 50 maven packages depend on org.keycloak:keycloak-services (22 direct, 28 indirect)
Ecosystem-wide dependent count for version 26.5.0.
DescriptionCVE.org
A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
AnalysisAI
Policy enforcement bypass in Red Hat Build of Keycloak's Client Policies framework allows unauthenticated remote attackers to obtain OAuth2 tokens via the Resource Owner Password Credentials (ROPC) grant even when an explicit reject-ropc-grant executor is configured to block it. The bypass is triggered specifically when certain condition providers - client-type, client-roles, client-attributes, or client-scopes - are used within the same policy, causing silent executor skipping rather than a fail-closed enforcement error. Successful exploitation results in unauthorized token issuance and potential information disclosure. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Technical ContextAI
Keycloak implements OAuth2/OIDC enforcement logic through a Client Policies framework within the org.keycloak.protocol.oidc package. Client Policies consist of conditions (criteria that determine when a policy applies) and executors (actions enforced when conditions match). The reject-ropc-grant executor is designed to block the Resource Owner Password Credentials flow - a legacy OAuth2 grant type where client applications collect usernames and passwords directly, considered high-risk in modern deployments. CWE-280 (Improper Handling of Insufficient Permissions or Privileges) identifies the root cause: the enforcement logic fails to properly propagate or evaluate privilege restrictions when specific condition provider types (client-type, client-roles, client-attributes, client-scopes) are evaluated, resulting in the executor being silently skipped rather than applied. The affected product is identified by CPE cpe:2.3:a:red_hat:red_hat_build_of_keycloak:*:*:*:*:*:*:*:* - the wildcard version suggests all currently available versions of Red Hat Build of Keycloak are potentially affected.
RemediationAI
No vendor-released patch version has been identified from the available data; the Red Hat CVE page (https://access.redhat.com/security/cve/CVE-2026-9792) and Bugzilla entry (https://bugzilla.redhat.com/show_bug.cgi?id=2482459) should be monitored for patch availability and exact fix versions. As an immediate compensating control, administrators should audit all Client Policies that use a reject-ropc-grant executor and verify whether those policies employ any of the four affected condition types: client-type, client-roles, client-attributes, or client-scopes. For policies using these conditions, a short-term mitigation is to disable the ROPC grant entirely at the realm level via Keycloak's realm settings (Realm Settings → Login → turn off 'Direct Access Grants Enabled'), which enforces the restriction at a layer above the bypassed executor - note this may break legacy integrations that rely on ROPC and should be tested in non-production environments first. Alternatively, temporarily replacing the affected condition providers with condition types not implicated in this bypass (e.g., client-access-type, if applicable to the deployment) may preserve partial policy enforcement. Do not rely solely on the reject-ropc-grant executor as the security boundary until a patched version is confirmed.
More in Red Hat Build Of Keycloak
View allAuthorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access con
Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re
Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus
Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea
Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai
Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management right
Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads
Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su
Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take
Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a
Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permis
Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32708
GHSA-33j3-g875-37rp