Description
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
Published: 2026-05-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Keycloak’s Client Policies allows an unauthenticated attacker to bypass the reject-ropc-grant executor when certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used. This bypass enables the attacker to acquire OAuth tokens via a Resource Owner Password Credentials (ROPC) grant even though the policy is intended to block it, providing unauthorized access and potential information disclosure. The weakness falls under CWE-280, indicating an insufficient access control issue.

Affected Systems

All installations of the Red Hat Build of Keycloak that enable the affected Client Policies are potentially impacted. No specific version range is listed, so any deployment of this product should be evaluated for the presence of the vulnerable policy configuration.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely remote, requiring the attacker to pose as a client or manipulate policy configuration. If the configuration uses the vulnerable combination of condition providers and reject-ropc-grant, an attacker can obtain tokens without authentication.

Generated by OpenCVE AI on May 28, 2026 at 05:50 UTC.

Remediation

Vendor Workaround

To mitigate this issue, Keycloak administrators should review and adjust client policies designed to reject Resource Owner Password Credentials (ROPC) grants. Avoid using the `client-type`, `client-roles`, `client-attributes`, or `client-scopes` condition providers in conjunction with the `reject-ropc-grant` executor. Instead, configure policies to use the `grant-type` condition provider for ROPC rejection. A restart or reload of the Keycloak service may be required for these policy changes to take full effect.

OpenCVE Recommended Actions

  • Review and adjust all client policies that use the reject-ropc-grant executor and any of the client-type, client-roles, client-attributes, or client-scopes condition providers.
  • Replace these condition providers with a grant-type condition provider for ROPC rejection, ensuring the reject-ropc-grant executor remains effective.
  • Reload or restart the Keycloak service to apply policy changes. (A service restart or reload might be required for the changes to fully take effect.)
  • Check vendor releases for an official patch or update once it becomes available and apply it to provide a permanent fix.

Generated by OpenCVE AI on May 28, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.6::el9
References

Wed, 03 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
Vendors & Products Redhat build Of Keycloak

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat keycloak
Vendors & Products Redhat keycloak

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 28 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
Title Keycloak: keycloak: security restriction bypass allows unauthorized ropc token acquisition
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-280
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-10T21:21:59.570Z

Reserved: 2026-05-28T03:09:25.012Z

Link: CVE-2026-9792

cve-icon Vulnrichment

Updated: 2026-05-29T18:32:23.436Z

cve-icon NVD

Status : Modified

Published: 2026-05-28T05:16:40.537

Modified: 2026-06-17T11:05:38.740

Link: CVE-2026-9792

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T03:10:21Z

Links: CVE-2026-9792 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:19:25Z

Weaknesses
  • CWE-280

    Improper Handling of Insufficient Permissions or Privileges