Medium severity6.5NVD Advisory· Published May 28, 2026· Updated Jun 10, 2026
CVE-2026-9792
CVE-2026-9792
Description
A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
4- access.redhat.com/security/cve/CVE-2026-9792nvdMitigationVendor Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor Advisory
- access.redhat.com/errata/RHSA-2026:25097nvd
- access.redhat.com/errata/RHSA-2026:25098nvd
News mentions
1- Keycloak: Twelve Vulnerabilities Disclosed, One High SeverityVypr Intelligence · May 28, 2026