CVE-2026-9792
Modified Modified - Updated After Analysis
Keycloak ROPC Grant Bypass via Client Policies

Publication date: 2026-05-28

Last updated on: 2026-06-10

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-9792
EUVD
EUVD-2026-32708
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-280 The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Keycloak's Client Policies, specifically in the org.keycloak.protocol.oidc component. When certain condition providers such as client-type, client-roles, client-attributes, or client-scopes are used to enforce security restrictions, the reject-ropc-grant executor is bypassed silently. This means that an unauthenticated remote attacker can obtain tokens using the Resource Owner Password Credentials (ROPC) grant even if there is a policy explicitly configured to block such requests.

Impact Analysis

The vulnerability can lead to unauthorized access and information disclosure. Because an attacker can bypass security policies and obtain tokens without authentication, they may gain access to protected resources or sensitive information that should be restricted.

Compliance Impact

The vulnerability allows unauthorized access and information disclosure by bypassing configured security policies in Keycloak's Client Policies. This unauthorized access could potentially lead to violations of compliance requirements in standards and regulations such as GDPR and HIPAA, which mandate strict controls over access to sensitive data and protection of personal information.

Specifically, since the flaw permits unauthenticated remote attackers to obtain tokens via the Resource Owner Password Credentials (ROPC) grant despite policies intended to block such access, it undermines the enforcement of access controls. This could result in unauthorized data exposure or misuse, thereby impacting an organization's ability to comply with data protection and privacy regulations.

Mitigation Strategies

To mitigate this vulnerability, you should review and update your Keycloak Client Policies, especially those using the condition providers client-type, client-roles, client-attributes, and client-scopes.

Ensure that the reject-ropc-grant executor is properly enforced and consider applying any available patches or updates from Keycloak or your vendor that address this issue.

Additionally, monitor for unauthorized token requests using the Resource Owner Password Credentials (ROPC) grant and restrict or disable ROPC grant usage if it is not required in your environment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9792. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart