keycloak-policy-enforcer is vulnerable to Authorization Bypass
81
High Risk
The Keycloak policy enforcer compares request URIs incorrectly when matching the configured access-denied page path. By placing that path inside a request URL as a path segment or query parameter, an authenticated user can make the enforcer treat protected requests as the public access-denied page. This bypasses all role, scope, and UMA permission checks and grants access to protected resources. The fix corrects the URI comparison so the access-denied path no longer disables enforcement.
You are affected if you are using a version that falls within the vulnerable range and your application uses the Keycloak policy enforcer with a configured access-denied page.
keycloak-policy-enforcer is vulnerable to Authorization Bypass in versions 21.1.0 - 26.0.9.
Upgrade the org.keycloak:keycloak-policy-enforcer library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant