Skip to main content

Red Hat Keycloak EUVDEUVD-2026-32708

| CVE-2026-9792 MEDIUM
Improper Handling of Insufficient Permissions or Privileges (CWE-280)
2026-05-28 redhat GHSA-33j3-g875-37rp
6.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 05:03 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 50 maven packages depend on org.keycloak:keycloak-services (22 direct, 28 indirect)

Ecosystem-wide dependent count for version 26.5.0.

DescriptionCVE.org

A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.

AnalysisAI

Policy enforcement bypass in Red Hat Build of Keycloak's Client Policies framework allows unauthenticated remote attackers to obtain OAuth2 tokens via the Resource Owner Password Credentials (ROPC) grant even when an explicit reject-ropc-grant executor is configured to block it. The bypass is triggered specifically when certain condition providers - client-type, client-roles, client-attributes, or client-scopes - are used within the same policy, causing silent executor skipping rather than a fail-closed enforcement error. Successful exploitation results in unauthorized token issuance and potential information disclosure. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

Keycloak implements OAuth2/OIDC enforcement logic through a Client Policies framework within the org.keycloak.protocol.oidc package. Client Policies consist of conditions (criteria that determine when a policy applies) and executors (actions enforced when conditions match). The reject-ropc-grant executor is designed to block the Resource Owner Password Credentials flow - a legacy OAuth2 grant type where client applications collect usernames and passwords directly, considered high-risk in modern deployments. CWE-280 (Improper Handling of Insufficient Permissions or Privileges) identifies the root cause: the enforcement logic fails to properly propagate or evaluate privilege restrictions when specific condition provider types (client-type, client-roles, client-attributes, client-scopes) are evaluated, resulting in the executor being silently skipped rather than applied. The affected product is identified by CPE cpe:2.3:a:red_hat:red_hat_build_of_keycloak:*:*:*:*:*:*:*:* - the wildcard version suggests all currently available versions of Red Hat Build of Keycloak are potentially affected.

RemediationAI

No vendor-released patch version has been identified from the available data; the Red Hat CVE page (https://access.redhat.com/security/cve/CVE-2026-9792) and Bugzilla entry (https://bugzilla.redhat.com/show_bug.cgi?id=2482459) should be monitored for patch availability and exact fix versions. As an immediate compensating control, administrators should audit all Client Policies that use a reject-ropc-grant executor and verify whether those policies employ any of the four affected condition types: client-type, client-roles, client-attributes, or client-scopes. For policies using these conditions, a short-term mitigation is to disable the ROPC grant entirely at the realm level via Keycloak's realm settings (Realm Settings → Login → turn off 'Direct Access Grants Enabled'), which enforces the restriction at a layer above the bypassed executor - note this may break legacy integrations that rely on ROPC and should be tested in non-production environments first. Alternatively, temporarily replacing the affected condition providers with condition types not implicated in this bypass (e.g., client-access-type, if applicable to the deployment) may preserve partial policy enforcement. Do not rely solely on the reject-ropc-grant executor as the security boundary until a patched version is confirmed.

CVE-2026-9800 HIGH
8.1 Jun 25

Authorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access con

CVE-2026-11800 HIGH
8.1 Jun 25

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re

CVE-2026-7504 HIGH
8.1 May 19

Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus

CVE-2026-9087 HIGH
8.1 May 20

Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea

CVE-2026-4636 HIGH
8.1 Apr 02

Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai

CVE-2026-9099 HIGH
7.7 Jun 25

Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management right

CVE-2026-7307 HIGH
7.5 May 19

Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads

CVE-2026-4634 HIGH
7.5 Apr 02

Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su

CVE-2026-7507 HIGH
7.5 May 19

Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take

CVE-2026-4282 HIGH
7.4 Apr 02

Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a

CVE-2026-9086 HIGH
7.3 Jun 25

Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permis

CVE-2026-3872 HIGH
7.3 Apr 02

Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web

Vendor StatusVendor

Share

EUVD-2026-32708 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy