CVE-2026-9792
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk18th percentile - higher than 18% of all known CVEs
Summary
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it.
Risk Assessment
The risk involves potential unauthorized access to resources and information disclosure, as an attacker can bypass the ROPC-blocking policy and obtain access tokens.
Recommendation
It is recommended to immediately update Keycloak to a patched version and temporarily avoid using the mentioned condition providers in client policies if possible.
Original NVD description (English source)
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.

