GHSA-33j3-g875-37rpMediumCVSS 6.5

Keycloak Vulnerable to Improper Handling of Insufficient Permissions or Privilege

Published
May 28, 2026
Last Modified
July 1, 2026

🔗 CVE IDs covered (1)

📋 Description

A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.

🎯 Affected products2

  • maven/org.keycloak:keycloak-services:>= 26.5.0, < 26.6.3
  • maven/org.keycloak:keycloak-services:<= 26.4.7

🔗 References (14)