VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 28, 2026

CVE-2026-9792

CVE-2026-9792

Description

A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Keycloak's Client Policies bypass allows unauthenticated attackers to obtain tokens via ROPC grant despite reject-ropc-grant executor.

Vulnerability

A flaw exists in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed. The exact affected versions are not disclosed in the available references [1][2].

Exploitation

An unauthenticated remote attacker can exploit this bypass by sending a Resource Owner Password Credentials (ROPC) grant request to a Keycloak endpoint that has a client policy configured with the reject-ropc-grant executor. The attacker does not need any prior authentication or special network position. The bypass occurs silently, allowing the attacker to obtain tokens even when the policy is explicitly configured to block ROPC grants [1][2].

Impact

Successful exploitation allows the attacker to obtain tokens via the ROPC grant flow, leading to unauthorized access to protected resources and potential information disclosure. The attacker gains the privileges associated with the token scope, which may include access to sensitive data or actions [1][2].

Mitigation

As of the publication date (2026-05-28), no fix has been released. Red Hat has not provided a workaround in the available references. Users should monitor for updates from Red Hat and apply patches as soon as they become available [1][2].

References
  1. cve-details
  2. Security restriction bypass allows unauthorized ROPC token acquisition

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.