Authorization bypass through user-controlled key in Keycloak - CVE-2026-9799
Published: June 29, 2026
Vulnerability identifier: #VU135690
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-9799
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Keycloak
Affected software:
Keycloak
Keycloak
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information or modify resources.
The vulnerability exists due to improper access control in org.keycloak.authorization when processing a permission request with a specific prefix. A remote user can use a granted User-Managed Access (UMA) permission ticket for one resource to bypass per-resource access control and disclose sensitive information or modify resources.
The issue affects typed resources with ownerManagedAccess enabled when the same resource server is configured in PERMISSIVE policy enforcement mode and no explicit policy protects the resource type. User interaction is required.
How to mitigate CVE-2026-9799
Install security update from vendor's website.