Fedora Account System
Red Hat Associate
Red Hat Customer
Summary PolicyEnforcer.isDefaultAccessDeniedUri uses a substring match (String.contains) instead of an exact path comparison to determine whether an incoming request targets the configured access-denied page. When the check matches, the request is short-circuited as granted — skipping all role checks, scope checks, and UMA permission evaluation. Any authenticated user can bypass every authorization policy by including the on-deny-redirect-to value anywhere in the request URL (as a path segment or query parameter). Requirements to exploit Any authenticated user with a valid access token. No specific role, scope, or UMA permission required. The attacker needs to know the on-deny-redirect-to value, which defaults to /access-denied and is trivially discoverable by triggering a deny and observing the redirect location. Component affected: org.keycloak.keycloak-policy-enforcer Version affected: 26.0.5 (latest on Maven Central) and all prior versions containing PolicyEnforcer.isDefaultAccessDeniedUri Patch available: no File issue trackers? Yes, for all supported release streams CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (8.1 High) Embargo: yes (High severity, complete authorization bypass. Suggested date: 19-Aug-2026) Acknowledgement: Bas Levering <basdaniel3> Steps to reproduce 1. Deploy an application using keycloak-policy-enforcer with on-deny-redirect-to set to /access-denied (or any value) 2. Obtain a valid access token for any authenticated user (no specific roles required) 3. Send a request to a protected endpoint with /access-denied appended to the path: GET /api/protected-resource/access-denied 4. Alternatively, append it as a query parameter: GET /api/protected-resource?x=/access-denied 5. The request is granted without any authorization evaluation — no role check, no scope check, no UMA permission check runs