MEDIUM 6.5

CVE-2026-9792: Keycloak Client Policies ROPC Grant Bypass

Keycloak's Client Policies feature contains a bypass that weakens its security controls. When administrators configure policies to block the Resource Owner Password Credentials (ROPC) grant flow—a less secure authentication method—the system fails to enforce this restriction under certain conditions. An attacker can exploit this to obtain authentication tokens without proper authorization, potentially accessing sensitive data or impersonating legitimate users. The vulnerability affects how Keycloak validates policy conditions when client type, roles, attributes, or scopes are involved.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-280
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-26

NVD description (verbatim)

A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9792 resides in the org.keycloak.protocol.oidc component and involves a logic flaw in Client Policies enforcement. The reject-ropc-grant executor, responsible for blocking ROPC token requests, is bypassed when specific condition providers (client-type, client-roles, client-attributes, client-scopes) are configured within a policy. This means that even though an administrator has explicitly set a policy rule to deny ROPC flows, the enforcement mechanism does not properly evaluate the condition, allowing ROPC grant requests to proceed. An unauthenticated remote attacker can interact directly with the OIDC endpoint to request tokens via ROPC, circumventing the intended security policy.

Business impact

Organizations relying on Client Policies to restrict authentication flows lose a key security boundary. If a company has disabled ROPC due to its inherent risks (credential exposure, token interception), this bypass re-introduces those risks. Attackers could obtain tokens to access protected resources, APIs, or other integrated services. The impact is information disclosure and unauthorized access; confidentiality and integrity are at risk, though availability is typically unaffected. For organizations with strict authentication policy requirements (regulated industries, zero-trust deployments), this represents a compliance violation that could require security incident notification.

Affected systems

Red Hat build of Keycloak is documented as affected. Organizations running Keycloak instances with Client Policies that use any of the four named condition providers (client-type, client-roles, client-attributes, or client-scopes) combined with a reject-ropc-grant executor are vulnerable. The vulnerability requires Keycloak to be configured as an OIDC authorization server and accessible over the network; it does not affect embedded or offline deployments. Verify the exact affected versions against Red Hat's advisory.

Exploitability

Exploitability is straightforward and requires no authentication. An attacker needs network access to the Keycloak OIDC endpoint and must craft a standard ROPC token request (username, password, client credentials). No user interaction is required, and the attack succeeds silently—the attacker receives a valid token even though policy should have rejected it. The CVSS score of 6.5 reflects this ease of exploitation, though the impact is limited to token acquisition rather than server compromise. This is a practical vulnerability that does not require sophisticated techniques or timing attacks.

Remediation

Apply the security patch from Red Hat for Keycloak when available—verify the patched version number in the official advisory. In the interim, if Client Policies cannot be immediately updated, consider operational mitigations: disable ROPC grant type entirely at the realm level if policy-based control is insufficient; restrict ROPC access to whitelisted clients via firewall or network segmentation; monitor token requests for ROPC grant type usage and alert on policy violations. Review any Client Policies currently configured with reject-ropc-grant to confirm they are functioning as intended post-remediation.

Patch guidance

Monitor Red Hat security advisories for Keycloak updates that address this bypass. When a patch is released, prioritize deployment to any Keycloak instances with Client Policies configured to restrict ROPC—these are the high-risk deployments. Test the patch in a non-production environment first to confirm the policy enforcer correctly rejects ROPC requests under all four condition provider scenarios (client-type, client-roles, client-attributes, client-scopes). After patching, re-validate that your security policies are being enforced as designed.

Detection guidance

Monitor Keycloak logs for token requests using the ROPC grant type, especially after a policy blocking ROPC should have applied. Check for successful token issuance when policies indicate ROPC should be denied. Enable OIDC protocol logging if available. Review Client Policies configurations to identify which ones use the vulnerable condition providers and executor combination. In network logs, look for POST requests to the OIDC token endpoint with grant_type=password originating from unexpected sources or clients.

Why prioritize this

Although CVSS is moderate (6.5) and the vulnerability is not yet in active exploitation databases, it enables a direct token-acquisition bypass that undermines authentication controls. Organizations with strict ROPC policies deserve visibility into whether this affects their deployments. Prioritize patching if you have Client Policies explicitly configured to block ROPC; deprioritize if ROPC is already disabled at the realm level or if Client Policies are not used.

Risk score, explained

The CVSS 3.1 score of 6.5 (MEDIUM) reflects: network-accessible attack vector (AV:N), low attack complexity (AC:L), no authentication required (PR:N), user interaction not needed (UI:N), scope unchanged (S:U), and limited impact—confidentiality and integrity are lowered (C:L, I:L) but availability is not affected (A:N). The score appropriately captures that this is a policy bypass rather than a critical system compromise, yet it enables unauthorized token acquisition.

Frequently asked questions

Does this vulnerability affect Keycloak if we do not use Client Policies?

No, the vulnerability is specific to Client Policies. If your Keycloak deployment does not rely on Client Policies for security enforcement, you are not directly exposed via this flaw. However, review your authentication policy to confirm you have adequate ROPC controls in place via other mechanisms.

Can this vulnerability be exploited if ROPC is already disabled at the realm level?

No. If the ROPC grant type is disabled at the Keycloak realm level, the bypass cannot be exploited because ROPC requests will be rejected before they reach the Client Policies logic. If you have disabled ROPC globally, this vulnerability does not pose a risk to your deployment.

What is Resource Owner Password Credentials (ROPC) and why is it considered risky?

ROPC is an OAuth 2.0 grant type that requires a user to provide their username and password directly to the application. Unlike interactive flows (authorization code), ROPC exposes credentials to the application layer, increasing the risk of credential theft or misuse. Many organizations block ROPC to enforce more secure authentication patterns such as authorization code flow with PKCE.

How can we verify if our Client Policies are vulnerable?

Identify any Client Policies that combine one of the four condition providers (client-type, client-roles, client-attributes, client-scopes) with the reject-ropc-grant executor. If you have such policies, your configuration is vulnerable. Test by attempting an ROPC token request for a client that should be blocked; if the token is issued despite the policy, the bypass is active. Upgrade immediately when a patch is available.

This analysis is based on the published CVE record and Red Hat vendor information as of the advisory date. Patch versions, timelines, and detailed workarounds are confirmed against official vendor advisories—verify specific version numbers and update availability directly with Red Hat. Exploit details, proof-of-concept code, and active exploitation status are not provided in this article. Organizations should conduct their own risk assessment and testing in accordance with their change management policies before deploying patches to production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).