GHSA-33j3-g875-37rpMediumCVSS 6.5
Keycloak Vulnerable to Improper Handling of Insufficient Permissions or Privilege
🔗 CVE IDs covered (1)
📋 Description
A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
🎯 Affected products2
- maven/org.keycloak:keycloak-services:>= 26.5.0, < 26.6.3
- maven/org.keycloak:keycloak-services:<= 26.4.7
🔗 References (14)
- https://nvd.nist.gov/vuln/detail/CVE-2026-9792
- https://access.redhat.com/security/cve/CVE-2026-9792
- https://bugzilla.redhat.com/show_bug.cgi?id=2482459
- https://access.redhat.com/errata/RHSA-2026:25098
- https://access.redhat.com/errata/RHSA-2026:25097
- https://access.redhat.com/errata/RHSA-2026:30049
- https://access.redhat.com/errata/RHSA-2026:30050
- https://github.com/keycloak/keycloak/issues/49436
- https://github.com/keycloak/keycloak/pull/49636
- https://github.com/keycloak/keycloak/pull/49637
- https://github.com/keycloak/keycloak/commit/13622ee0ffed91fd07ef444be2c858a7f356766d
- https://github.com/keycloak/keycloak/commit/2af73c16a4e49333779bb34bce65461d9af036a4
- https://github.com/keycloak/keycloak/commit/af5e3e8c60842bc1f3a78e6be414fe303f93163d
- https://github.com/advisories/GHSA-33j3-g875-37rp