CVE-2026-9792
Keycloak ROPC Grant Bypass via Client Policies
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | From 2026-05-28 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-280 | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Keycloak's Client Policies, specifically in the org.keycloak.protocol.oidc component. When certain condition providers such as client-type, client-roles, client-attributes, or client-scopes are used to enforce security restrictions, the reject-ropc-grant executor is bypassed silently. This means that an unauthenticated remote attacker can obtain tokens using the Resource Owner Password Credentials (ROPC) grant even if there is a policy explicitly configured to block such requests.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access and information disclosure. Because an attacker can bypass security policies and obtain tokens without authentication, they may gain access to protected resources or sensitive information that should be restricted.