Home

Description

A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.

PUBLISHED Reserved 2026-05-28 | Published 2026-05-28 | Updated 2026-05-29 | Assigner redhat




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

Improper Handling of Insufficient Permissions or Privileges

Product status

Default status
affected

Timeline

2026-05-28:Reported to Red Hat.
2026-05-28:Made public.

Credits

Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-9792 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2482459 (RHBZ#2482459) issue-tracking

cve.org (CVE-2026-9792)

nvd.nist.gov (CVE-2026-9792)

Download JSON