Skip to main content

Keycloak EUVDEUVD-2026-39471

| CVE-2026-9800 HIGH
Comparison Using Wrong Factors (CWE-1025)
2026-06-25 redhat GHSA-79qw-g39g-mfxc
8.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network-reachable with low complexity; a low-privilege authenticated account suffices (PR:L); full authorization bypass yields high confidentiality and integrity impact but no availability effect (A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 17:18 vuln.today

DescriptionCVE.org

A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.

AnalysisAI

Authorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access controls - role, scope, and User-Managed Access (UMA) permission checks - by embedding the configured access-denied page path inside a request URL as a path segment or query parameter. The affected component ships in the Red Hat Build of Keycloak, and successful exploitation grants unauthorized access to protected resources. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege user
Delivery
Identify configured access-denied page path
Exploit
Craft request URL embedding that path
Execution
Policy Enforcer skips authorization checks
Impact
Access protected resources

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a valid authenticated account of any privilege level (CVSS PR:L - not anonymous), and (2) the target application must use the Keycloak Policy Enforcer adapter with an access-denied page path configured, since the bypass works by including that exact configured path in the request URL as a path segment or query parameter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N): network-reachable, low complexity, only a low-privilege authenticated account required, with high confidentiality and integrity impact and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privilege authenticated user of a Keycloak-protected application finds that requests to restricted resources are blocked by the Policy Enforcer. They re-issue the request with the configured access-denied page path appended as an extra path segment or added as a query parameter; the enforcer treats the request as exempt, skips all role/scope/UMA checks, and returns the protected data. …
Remediation Apply the fixed Red Hat Build of Keycloak release once published; consult the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9800 and the tracking bug at https://bugzilla.redhat.com/show_bug.cgi?id=2482472 for the exact patched version, which is not stated in the available data (no vendor-released fix version was provided, so verify the target release directly with Red Hat before scheduling). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Red Hat Build of Keycloak deployments and enumerate resources protected by Policy Enforcer; activate comprehensive audit logging on Keycloak access decisions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-11800 HIGH
8.1 Jun 25

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re

CVE-2026-7504 HIGH
8.1 May 19

Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus

CVE-2026-9087 HIGH
8.1 May 20

Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea

CVE-2026-4636 HIGH
8.1 Apr 02

Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai

CVE-2026-9099 HIGH
7.7 Jun 25

Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management right

CVE-2026-7307 HIGH
7.5 May 19

Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads

CVE-2026-4634 HIGH
7.5 Apr 02

Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su

CVE-2026-7507 HIGH
7.5 May 19

Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take

CVE-2026-4282 HIGH
7.4 Apr 02

Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a

CVE-2026-9086 HIGH
7.3 Jun 25

Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permis

CVE-2026-3872 HIGH
7.3 Apr 02

Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web

CVE-2026-9795 HIGH
7.3 May 28

Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows an administrator with only limited

Vendor StatusVendor

Share

EUVD-2026-39471 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy