Description
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
References
- VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2026:30049
- VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2026:30050
- VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2026:30083
- VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2026:30084
- VENDOR_ADVISORYhttps://access.redhat.com/security/cve/CVE-2026-9800
- MISChttps://bugzilla.redhat.com/show_bug.cgi?id=2482472