CVE-2026-9800
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
A flaw in Keycloak Policy Enforcer allows any authenticated user to bypass all authorization policies, including role, scope, and UMA permission checks. By including the configured access-denied page path within a request URL, as a path segment or query parameter, an attacker can gain unauthorized access to protected resources.
Risk Assessment
The risk is complete bypass of access control mechanisms, potentially leading to unauthorized access to sensitive data and system functions, compromising confidentiality and integrity of protected resources.
Recommendation
Immediately update Keycloak to a version containing the fix for CVE-2026-9800 and review the Policy Enforcer configuration to ensure the access-denied page path is not accepted in URL requests.
Original NVD description (English source)
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.

