Description
A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.
Published: 2026-06-25
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user who possesses a User-Managed Access permission ticket for a single resource can exploit a flaw in the Keycloak authorization component. By using a special permission request prefix, the attacker bypasses per‑resource access control and gains unauthorized read or modify access to every resource of the same type on the resource server. This leads to information disclosure or modification of resources that the user does not explicitly own or have permission for.

Affected Systems

Red Hat’s Build of Keycloak is affected. No specific product versions are listed; the flaw resides in the core authorization logic of the Keycloak server. The attack can occur on any deployment where the resource server is set to PERMISSIVE policy enforcement mode, the resources are typed with ownerManagedAccess enabled, and no explicit policy protects that resource type.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate impact under best‑effort threat model. EPSS is not available, so current exploitation probability is unknown. This vulnerability is not in CISA’s KEV catalog. The attacker must first authenticate to the Keycloak server and obtain a valid UMA permission ticket, then send a crafted permission request. The weakness is a CWE‑639 (Authorization Bypass Through User-Controlled Key) and relies on misconfiguration rather than a pure software flaw. When the resource server is configured in PERMISSIVE mode, the flaw becomes exploitable, allowing the attacker to read or alter resources belonging to that type.

Generated by OpenCVE AI on June 25, 2026 at 18:07 UTC.

Remediation

Vendor Workaround

To mitigate this issue, ensure that the Keycloak client's policy enforcement mode is set to ENFORCING instead of PERMISSIVE. The PERMISSIVE mode is a non-default configuration that enables the vulnerability. Changing this setting will prevent the unauthorized access to resources of the same type. Consult Keycloak documentation for specific instructions on configuring policy enforcement mode for your client. This change may require a restart or reload of the Keycloak service to take effect and could impact existing authorization policies if not carefully managed.


OpenCVE Recommended Actions

  • Ensure the Keycloak client’s policy enforcement mode is set to ENFORCING instead of PERMISSIVE; this is the documented workaround and removes the bypass path.
  • If PERMISSIVE mode must remain, create explicit authorization policies that protect each resource type or disable ownerManagedAccess for typed resources used with permissive enforcement.
  • Check for and apply any official Red Hat or Keycloak updates that address this issue; apply patches as soon as they become available.

Generated by OpenCVE AI on June 25, 2026 at 18:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:26.4::el9
References

Fri, 26 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.6::el9
References

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.
Title Keycloak: keycloak: unauthorized access to resources via uma permission ticket bypass
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-639
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}


Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-26T06:46:38.312Z

Reserved: 2026-05-28T03:53:25.960Z

Link: CVE-2026-9799

cve-icon Vulnrichment

Updated: 2026-06-26T02:06:52.075Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T00:15:04Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key