Intel

AIKIDO-2026-229938

keycloak-services is vulnerable to Authorization Bypass

Authorization BypassCVE-2026-9800 Published 3 days ago

81

High Risk

This Affects:

JAVAkeycloak-services
1.0.1 - 26.6.3
Fixed in 26.6.4
Are you affected? Scan for Free

TL;DR

The Keycloak policy enforcement compares request URIs incorrectly when matching the configured access-denied page path. By placing that path inside a request URL as a path segment or a query parameter, an authenticated user can make the server treat protected requests as the public access-denied page. This bypasses all role, scope, and UMA permission checks and grants access to protected resources. The fix corrects the URI comparison so the access-denied path no longer disables enforcement.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your deployment relies on Keycloak authorization policy enforcement with a configured access-denied page.

Background info

keycloak-services is vulnerable to Authorization Bypass in versions 1.0.1 - 26.6.3.

How to fix this

Upgrade the org.keycloak:keycloak-services library to the patch version.