Bug 2482472 (CVE-2026-9800)

Summary: CVE-2026-9800 keycloak-policy-enforcer: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anthomas, ant, anujha, aschwart, asoldano, aszczucz, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, bstansbe, cescoffi, dandread, dkreling, dlofthou, drichtar, ehelms, ggainey, gsmet, istudens, ivassile, iweiss, jmartisk, jpasqual, juwatts, lthon, manderse, mhulan, mosmerov, mposolda, msvehla, nmoumoul, nwallace, olubyans, osousa, pberan, pcreech, pesilva, pgallagh, pjindal, pmackay, probinso, rchan, rguimara, rmartinc, rruss, rstancel, rsvoboda, sbiarozk, security-response-team, smallamp, ssilvert, sthorger, thjenkin, tmalecek, tqvarnst, vdosoudi, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-08-19   

Description OSIDB Bzimport 2026-05-28 04:19:55 UTC
Summary

PolicyEnforcer.isDefaultAccessDeniedUri uses a substring match
(String.contains) instead of an exact path comparison to determine
whether an incoming request targets the configured access-denied page.
When the check matches, the request is short-circuited as granted —
skipping all role checks, scope checks, and UMA permission evaluation.
Any authenticated user can bypass every authorization policy by
including the on-deny-redirect-to value anywhere in the request URL
(as a path segment or query parameter).

Requirements to exploit

Any authenticated user with a valid access token. No specific role,
scope, or UMA permission required. The attacker needs to know the
on-deny-redirect-to value, which defaults to /access-denied and is
trivially discoverable by triggering a deny and observing the redirect
location.

Component affected: org.keycloak.keycloak-policy-enforcer

Version affected: 26.0.5 (latest on Maven Central) and all prior
versions containing PolicyEnforcer.isDefaultAccessDeniedUri

Patch available: no

File issue trackers? Yes, for all supported release streams

CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (8.1 High)

Embargo: yes (High severity, complete authorization bypass.
Suggested date: 19-Aug-2026)

Acknowledgement:

Bas Levering <basdaniel3>

Steps to reproduce

1. Deploy an application using keycloak-policy-enforcer with
on-deny-redirect-to set to /access-denied (or any value)
2. Obtain a valid access token for any authenticated user (no specific
roles required)
3. Send a request to a protected endpoint with /access-denied appended
to the path: GET /api/protected-resource/access-denied
4. Alternatively, append it as a query parameter: GET
/api/protected-resource?x=/access-denied
5. The request is granted without any authorization evaluation — no
role check, no scope check, no UMA permission check runs