Description
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
Published: 2026-06-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Keycloak Policy Enforcer enables any authenticated user to bypass all authorization checks, including role, scope, and User‑Managed Access permissions. By inserting the configured access‑denied page path into a request URL—as either a path segment or a query parameter—an attacker can trick the system into granting access to protected resources. The weakness, identified as CWE‑1025, results in unauthorized access and potential compromise of confidential or sensitive data within the application.

Affected Systems

The vulnerability affects the Red Hat Build of Keycloak. No specific product versions are listed in the available data, so it is currently unknown which exact releases contain the issue.

Risk and Exploitability

The CVSS score of 8.1 indicates a high‑severity flaw. While the EPSS score is not available, the known exploitation path—an authenticated user crafting a URL with the access‑denied path—suggests that exploitation is straightforward. The vulnerability is not listed in the CISA KEV catalog, but organizations using this product version should treat it as a critical risk until a patch is applied.

Generated by OpenCVE AI on June 25, 2026 at 18:10 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.


OpenCVE Recommended Actions

  • Upgrade to the latest Red Hat Build of Keycloak containing the fix for the policy enforcer flaw.
  • If an immediate upgrade is not feasible, restrict the use of the access‑denied page path and monitor authentication logs for unauthorized access attempts.
  • Revoke or narrow the permissions of user accounts to limit the impact of an authenticated bypass until the patch is applied.

Generated by OpenCVE AI on June 25, 2026 at 18:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 09:45:00 +0000

Type Values Removed Values Added
Title Keycloak: keycloak policy enforcer: authorization bypass via incorrect uri comparison Keycloak-policy-enforcer: keycloak policy enforcer: authorization bypass via incorrect uri comparison
First Time appeared Redhat jbosseapxp
Redhat quarkus
Redhat red Hat Single Sign On
Redhat satellite
CPEs cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:quarkus:3
cpe:/a:redhat:red_hat_single_sign_on:7
cpe:/a:redhat:satellite:6
Vendors & Products Redhat jbosseapxp
Redhat quarkus
Redhat red Hat Single Sign On
Redhat satellite

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:26.4::el9
References

Thu, 25 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.6::el9
References

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
Title Keycloak: keycloak policy enforcer: authorization bypass via incorrect uri comparison
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-1025
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

Redhat Build Keycloak Build Of Keycloak Jbosseapxp Quarkus Red Hat Single Sign On Satellite
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-15T00:38:28.802Z

Reserved: 2026-05-28T04:00:06.454Z

Link: CVE-2026-9800

cve-icon Vulnrichment

Updated: 2026-07-15T00:38:28.802Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:53Z

Weaknesses
  • CWE-1025

    Comparison Using Wrong Factors