CVE-2026-9800
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4.13-1 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-19 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-19 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6.4-2 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6-8 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.6 | 26.6-8 < * | unaffected |
Weaknesses
- CWE-1025: Comparison Using Wrong Factors
Workarounds
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
keycloak-policy-enforcer: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison
Additional References
- https://access.redhat.com/security/cve/CVE-2026-9800
- https://bugzilla.redhat.com/show_bug.cgi?id=2482472
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9800.json
- https://access.redhat.com/errata/RHSA-2026:30050
- https://access.redhat.com/errata/RHSA-2026:30084
- https://access.redhat.com/errata/RHSA-2026:30049
- https://access.redhat.com/errata/RHSA-2026:30083
References
- https://access.redhat.com/errata/RHSA-2026:30049
- https://access.redhat.com/errata/RHSA-2026:30050
- https://access.redhat.com/errata/RHSA-2026:30083
- https://access.redhat.com/errata/RHSA-2026:30084
- https://access.redhat.com/security/cve/CVE-2026-9800
- https://bugzilla.redhat.com/show_bug.cgi?id=2482472
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.