CVE-2026-9792 Overview
CVE-2026-9792 is an authorization bypass vulnerability in Keycloak's Client Policies feature. The flaw resides in the org.keycloak.protocol.oidc component. When administrators configure condition providers such as client-type, client-roles, client-attributes, or client-scopes to enforce restrictions, the reject-ropc-grant executor is silently bypassed. An unauthenticated remote attacker can obtain access tokens through the Resource Owner Password Credentials (ROPC) grant, even when an explicit policy is set to block it. The flaw maps to [CWE-280: Improper Handling of Insufficient Permissions or Privileges].
Critical Impact
Attackers can bypass explicit ROPC grant restrictions on Keycloak clients, leading to unauthorized token issuance and information disclosure.
Affected Products
- Red Hat Keycloak (see vendor advisory for affected versions)
- Red Hat build of Keycloak
- Red Hat Single Sign-On distributions incorporating the affected org.keycloak.protocol.oidc component
Discovery Timeline
- 2026-05-28 - CVE-2026-9792 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-9792
Vulnerability Analysis
The vulnerability affects Keycloak's Client Policies framework, which combines conditions and executors to enforce protocol-level security controls on OpenID Connect (OIDC) clients. The reject-ropc-grant executor is intended to deny token issuance through the Resource Owner Password Credentials grant type, an OAuth 2.0 flow that exchanges a username and password directly for an access token. When policies couple this executor with condition providers including client-type, client-roles, client-attributes, or client-scopes, the executor fails to trigger. The token endpoint then issues tokens for ROPC requests that should be rejected.
Root Cause
The defect is an improper authorization enforcement issue within the policy evaluation logic. The matching path through the affected condition providers does not invoke the reject-ropc-grant executor before the token endpoint completes the ROPC flow. As a result, the policy is treated as satisfied while the protective executor never runs.
Attack Vector
The vector is network-based and requires no prior authentication or user interaction. An attacker submits a standard ROPC token request to the Keycloak token endpoint targeting a client governed by one of the affected condition providers. Despite the configured deny policy, the server returns valid tokens, enabling unauthorized access to resources protected by the realm and disclosure of information bound to the impersonated identity.
No verified proof-of-concept code is available. Refer to the Red Hat CVE-2026-9792 Advisory and Red Hat Bug Report #2482459 for vendor technical details.
Detection Methods for CVE-2026-9792
Indicators of Compromise
- Successful ROPC token responses (grant_type=password) at the /protocol/openid-connect/token endpoint for clients covered by a reject-ropc-grant policy.
- Token issuance events in Keycloak event logs for clients whose policies should deny password grants.
- Unexpected access patterns from accounts that should not authenticate via ROPC, particularly service or high-privilege accounts.
Detection Strategies
- Audit Keycloak admin event and login event streams for LOGIN events with grant_type=password against clients intended to block ROPC.
- Correlate token endpoint requests with the configured client policy set to flag mismatches between policy intent and observed outcomes.
- Review reverse proxy or ingress logs for POST requests to /realms/<realm>/protocol/openid-connect/token containing grant_type=password parameters.
Monitoring Recommendations
- Forward Keycloak event logs to a centralized logging or SIEM platform and alert on ROPC token issuance for non-approved clients.
- Monitor source IP diversity and request rates against the token endpoint to identify credential stuffing or token harvesting activity.
- Track changes to client policies, condition providers, and executors to detect tampering with the protective configuration.
How to Mitigate CVE-2026-9792
Immediate Actions Required
- Apply the Keycloak update referenced in the Red Hat CVE-2026-9792 Advisory as soon as it is available for your distribution.
- Inventory all clients that rely on the reject-ropc-grant executor combined with client-type, client-roles, client-attributes, or client-scopes conditions and treat them as exposed until patched.
- Rotate credentials for any account that may have authenticated via ROPC against an affected client, and invalidate active sessions and refresh tokens.
Patch Information
Red Hat tracks remediation under Red Hat Bug Report #2482459. Consult the vendor advisory for fixed package versions across Red Hat build of Keycloak and Red Hat Single Sign-On channels, and apply the corresponding errata to all realms.
Workarounds
- Disable the Direct Access Grants capability on affected OIDC clients to remove the ROPC code path entirely.
- Replace condition-based policies with a global Client Policy profile that unconditionally applies reject-ropc-grant to all clients that should not use password grants.
- Restrict access to the /protocol/openid-connect/token endpoint at the network layer to known service identities until the patch is deployed.
# Example: disable Direct Access Grants for a client via kcadm.sh
kcadm.sh update clients/<client-uuid> -r <realm> \
-s directAccessGrantsEnabled=false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
