Intel

AIKIDO-2026-584823

keycloak-services is vulnerable to Authorization Bypass

Authorization BypassCVE-2026-9799 Published 3 days ago

46

Medium Risk

This Affects:

JAVAkeycloak-services
1.0.1.Final - 26.6.3
Fixed in 26.6.4
Are you affected? Scan for Free

TL;DR

Keycloak's authorization services let a user holding a User-Managed Access permission ticket for one resource use a specific permission request prefix to bypass per-resource checks. This grants access to all resources of the same type on the resource server, even without a ticket for them. It applies to resource servers in PERMISSIVE enforcement mode with owner-managed typed resources that have no explicit type policy, allowing unauthorized disclosure or modification. The fix enforces per-resource authorization for these permission requests.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and a resource server runs in PERMISSIVE policy enforcement mode with owner-managed typed resources.

Background info

keycloak-services is vulnerable to Authorization Bypass in versions 1.0.1.Final - 26.6.3.

How to fix this

Upgrade the org.keycloak:keycloak-services library to the patch version.