Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-28T03:10:21 keycloak: Keycloak: Security restriction bypass allows unauthorized ROPC token acquisition 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CWE-280

A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.

This Medium severity flaw in Keycloak allows client policies designed to reject Resource Owner Password Credentials (ROPC) grants to be bypassed. When specific condition providers (client-type, client-roles, client-attributes, or client-scopes) are used, clients can obtain tokens via ROPC despite explicit policy configuration to block such requests. This impacts Keycloak deployments where administrators rely on these policies to enforce FAPI 2.0 compliance and prevent credential exposure. Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue. To mitigate this issue, Keycloak administrators should review and adjust client policies designed to reject Resource Owner Password Credentials (ROPC) grants. Avoid using the `client-type`, `client-roles`, `client-attributes`, or `client-scopes` condition providers in conjunction with the `reject-ropc-grant` executor. Instead, configure policies to use the `grant-type` condition provider for ROPC rejection. A restart or reload of the Keycloak service may be required for these policy changes to take full effect. Red Hat Build of Keycloak Affected rhbk/keycloak-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-9792 https://nvd.nist.gov/vuln/detail/CVE-2026-9792