GHSA-33j3-g875-37rp
Keycloak Vulnerable to Improper Handling of Insufficient Permissions or Privilege
상세
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
26.5.0 수정 버전: 26.6.3 # pom.xml: bump <version>26.6.3</version> for org.keycloak:keycloak-services 0 No fixed version published yet for org.keycloak:keycloak-services (maven). Pin to a known-safe version or switch to an alternative.
참고
- https://nvd.nist.gov/vuln/detail/CVE-2026-9792 [ADVISORY]
- https://github.com/keycloak/keycloak/issues/49436 [WEB]
- https://github.com/keycloak/keycloak/pull/49636 [WEB]
- https://github.com/keycloak/keycloak/pull/49637 [WEB]
- https://github.com/keycloak/keycloak/commit/13622ee0ffed91fd07ef444be2c858a7f356766d [WEB]
- https://github.com/keycloak/keycloak/commit/2af73c16a4e49333779bb34bce65461d9af036a4 [WEB]
- https://github.com/keycloak/keycloak/commit/af5e3e8c60842bc1f3a78e6be414fe303f93163d [WEB]
- https://access.redhat.com/errata/RHSA-2026:25097 [WEB]
- https://access.redhat.com/errata/RHSA-2026:25098 [WEB]
- https://access.redhat.com/errata/RHSA-2026:30049 [WEB]
- https://access.redhat.com/errata/RHSA-2026:30050 [WEB]
- https://access.redhat.com/security/cve/CVE-2026-9792 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=2482459 [WEB]
- https://github.com/keycloak/keycloak [PACKAGE]