{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-9792", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-05-28T03:09:25.012Z", "datePublished": "2026-05-28T03:44:18.671Z", "dateUpdated": "2026-05-28T03:44:18.671Z"}, "containers": {"cna": {"title": "Keycloak: keycloak: security restriction bypass allows unauthorized ropc token acquisition", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-9792", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482459", "name": "RHBZ#2482459", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-05-28T03:10:21.828Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-280", "description": "Improper Handling of Insufficient Permissions or Privileges", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-280: Improper Handling of Insufficient Permissions or Privileges", "workarounds": [{"lang": "en", "value": "To mitigate this issue, Keycloak administrators should review and adjust client policies designed to reject Resource Owner Password Credentials (ROPC) grants. Avoid using the `client-type`, `client-roles`, `client-attributes`, or `client-scopes` condition providers in conjunction with the `reject-ropc-grant` executor. Instead, configure policies to use the `grant-type` condition provider for ROPC rejection. A restart or reload of the Keycloak service may be required for these policy changes to take full effect."}], "timeline": [{"lang": "en", "time": "2026-05-28T03:09:09.710Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-05-28T03:10:21.828Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-05-28T03:44:18.671Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure."}], "id": "CVE-2026-9792", "lastModified": "2026-05-28T05:16:40.537", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-05-28T05:16:40.537", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-9792"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482459"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-280"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue.", "bugzilla": {"description": "keycloak: Keycloak: Security restriction bypass allows unauthorized ROPC token acquisition", "id": "2482459", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482459"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-280", "details": ["A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, Keycloak administrators should review and adjust client policies designed to reject Resource Owner Password Credentials (ROPC) grants. Avoid using the `client-type`, `client-roles`, `client-attributes`, or `client-scopes` condition providers in conjunction with the `reject-ropc-grant` executor. Instead, configure policies to use the `grant-type` condition provider for ROPC rejection. A restart or reload of the Keycloak service may be required for these policy changes to take full effect."}, "name": "CVE-2026-9792", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "rhbk/keycloak-rhel9", "product_name": "Red Hat Build of Keycloak"}], "public_date": "2026-05-28T03:10:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-9792\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-9792"], "statement": "This Medium severity flaw in Keycloak allows client policies designed to reject Resource Owner Password Credentials (ROPC) grants to be bypassed. When specific condition providers (client-type, client-roles, client-attributes, or client-scopes) are used, clients can obtain tokens via ROPC despite explicit policy configuration to block such requests. This impacts Keycloak deployments where administrators rely on these policies to enforce FAPI 2.0 compliance and prevent credential exposure.", "threat_severity": "Moderate"}