Comparison using wrong factors in Keycloak - CVE-2026-9800

 

Comparison using wrong factors in Keycloak - CVE-2026-9800

Published: June 29, 2026


Vulnerability identifier: #VU135688
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-9800
CWE-ID: CWE-1025
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Keycloak
Affected software:
Keycloak

Detailed vulnerability description

The vulnerability allows a remote user to bypass authorization policies and gain unauthorized access to protected resources.

The vulnerability exists due to comparison using wrong factors in the Keycloak Policy Enforcer when handling request URLs containing the configured access-denied page path. A remote user can include the configured access-denied page path in a request URL as a path segment or query parameter to bypass authorization policies and gain unauthorized access to protected resources.

This can bypass role, scope, and User-Managed Access (UMA) permission checks.


How to mitigate CVE-2026-9800

Install security update from vendor's website.

Sources