CVE-2026-9799
Awaiting Analysis Awaiting Analysis - Queue
Keycloak Authorization Policy Bypass via UMA Permission Ticket

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Red Hat, Inc.

Description
A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-9799
EUVD
EUVD-2026-39475
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
org.keycloak keycloak *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in org.keycloak.authorization where an authenticated user with a User-Managed Access (UMA) permission ticket for one resource can exploit a specific permission request prefix to bypass access controls for other resources of the same type.

Specifically, if the resource server is configured in PERMISSIVE policy enforcement mode and the resource type has ownerManagedAccess enabled without an explicit policy protecting it, the user can gain unauthorized access to all resources of that type within the same resource server, even without tickets for those specific resources.

The main issue is that this flaw allows unauthorized information disclosure or modification of resources.

Impact Analysis

This vulnerability can lead to unauthorized access to multiple resources within the same resource server, allowing an attacker to view or modify information they should not have access to.

The impact includes potential information disclosure and unauthorized modification of resources, which can compromise data integrity and confidentiality.

Compliance Impact

This vulnerability allows unauthorized access to all resources of a certain type within the same resource server, potentially leading to unauthorized disclosure or modification of sensitive information.

Such unauthorized access and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Mitigation Strategies

To mitigate this vulnerability, ensure that the resource server is not configured in PERMISSIVE policy enforcement mode, as the flaw requires this mode to be exploitable.

Additionally, verify that typed resources with ownerManagedAccess enabled have explicit policies protecting the resource type to prevent unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9799. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart