Bug 2482472 (CVE-2026-9800) - CVE-2026-9800 keycloak-policy-enforcer: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison
Summary: CVE-2026-9800 keycloak-policy-enforcer: Keycloak Policy Enforcer: Authorizati...
Keywords:
Status: NEW
Alias: CVE-2026-9800
Deadline: 2026-08-19
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-28 04:19 UTC by OSIDB Bzimport
Modified: 2026-07-03 08:49 UTC (History)
59 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-28 04:19:55 UTC
Summary

PolicyEnforcer.isDefaultAccessDeniedUri uses a substring match
(String.contains) instead of an exact path comparison to determine
whether an incoming request targets the configured access-denied page.
When the check matches, the request is short-circuited as granted —
skipping all role checks, scope checks, and UMA permission evaluation.
Any authenticated user can bypass every authorization policy by
including the on-deny-redirect-to value anywhere in the request URL
(as a path segment or query parameter).

Requirements to exploit

Any authenticated user with a valid access token. No specific role,
scope, or UMA permission required. The attacker needs to know the
on-deny-redirect-to value, which defaults to /access-denied and is
trivially discoverable by triggering a deny and observing the redirect
location.

Component affected: org.keycloak.keycloak-policy-enforcer

Version affected: 26.0.5 (latest on Maven Central) and all prior
versions containing PolicyEnforcer.isDefaultAccessDeniedUri

Patch available: no

File issue trackers? Yes, for all supported release streams

CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (8.1 High)

Embargo: yes (High severity, complete authorization bypass.
Suggested date: 19-Aug-2026)

Acknowledgement:

Bas Levering <basdaniel3>

Steps to reproduce

1. Deploy an application using keycloak-policy-enforcer with
on-deny-redirect-to set to /access-denied (or any value)
2. Obtain a valid access token for any authenticated user (no specific
roles required)
3. Send a request to a protected endpoint with /access-denied appended
to the path: GET /api/protected-resource/access-denied
4. Alternatively, append it as a query parameter: GET
/api/protected-resource?x=/access-denied
5. The request is granted without any authorization evaluation — no
role check, no scope check, no UMA permission check runs


Note You need to log in before you can comment on or make changes to this bug.