Intel

AIKIDO-2026-91957

keycloak-policy-enforcer is vulnerable to Authorization Bypass

Authorization BypassCVE-2026-9800 Published 3 days ago

81

High Risk

This Affects:

JAVAkeycloak-policy-enforcer
21.1.0 - 26.0.9
Fixed in 26.0.10
Are you affected? Scan for Free

TL;DR

The Keycloak policy enforcer compares request URIs incorrectly when matching the configured access-denied page path. By placing that path inside a request URL as a path segment or query parameter, an authenticated user can make the enforcer treat protected requests as the public access-denied page. This bypasses all role, scope, and UMA permission checks and grants access to protected resources. The fix corrects the URI comparison so the access-denied path no longer disables enforcement.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses the Keycloak policy enforcer with a configured access-denied page.

Background info

keycloak-policy-enforcer is vulnerable to Authorization Bypass in versions 21.1.0 - 26.0.9.

How to fix this

Upgrade the org.keycloak:keycloak-policy-enforcer library to the patch version.