CVE-2026-9792
EUVD-2026-3270828.05.2026, 05:16
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| redhat | build_of_keycloak | - |
𝑥
= Vulnerable software versions
Vulnerability Media Exposure
References