CVE-2026-9792 Red Hat CVE debrief

Who should care

Organizations using Keycloak for identity and access management with Client Policies configured to restrict ROPC grants. Security teams should prioritize review if condition-based policies are in use.

Technical summary

The vulnerability exists in `org.keycloak.protocol.oidc` where condition providers used for policy enforcement fail to properly trigger the `reject-ropc-grant` executor. This creates a logic gap where ROPC grants are processed despite explicit denial policies. The affected condition providers include client-type, client-roles, client-attributes, and client-scopes. Attackers can exploit this without authentication to obtain access tokens, leading to unauthorized access and potential information disclosure. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N indicates network exploitable, low complexity, no privileges required, no user interaction, with low impact to confidentiality and integrity.

Defensive priority

medium

Recommended defensive actions

• Review Keycloak Client Policies configuration for use of affected condition providers (client-type, client-roles, client-attributes, client-scopes)
• Verify `reject-ropc-grant` executor is effectively blocking ROPC grants in your environment
• Monitor authentication logs for unexpected ROPC grant successes
• Apply vendor patches when available from Red Hat
• Consider disabling ROPC grants if not required for business operations

Evidence notes

CVE published 2026-05-28. Vendor identified as Red Hat based on source references. CVSS 6.5 (MEDIUM). Undergoing analysis per NVD.

Official resources