This vulnerability exists in the 'org.keycloak.protocol.oidc' component of Red Hat Build of Keycloak's Client Policies. When condition providers such as client-type, client-roles, client-attributes, or client-scopes are used, the 'reject-ropc-grant' executor designed to block ROPC grants can be bypassed silently. This bypass enables an unauthenticated remote attacker to obtain tokens via the ROPC grant flow even when policies explicitly forbid it. The issue results from improper handling of insufficient permissions or privileges in the enforcement logic of client policies. The vulnerability is publicly documented with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, and low confidentiality and integrity impact without availability impact. No known exploits in the wild have been reported. The vendor advisory does not currently confirm a patch or remediation.

An unauthenticated remote attacker can bypass configured client policies that are intended to block the Resource Owner Password Credentials grant type. This allows the attacker to obtain authentication tokens without proper authorization, potentially leading to unauthorized access to protected resources and information disclosure. The impact is limited to confidentiality and integrity with no reported availability impact. The medium CVSS score reflects the moderate risk posed by this vulnerability.

Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9792 for current remediation guidance. Until an official fix is released, administrators should review and potentially disable the use of the ROPC grant type or avoid using the affected condition providers in client policies as a temporary mitigation. Monitor Red Hat's advisory for updates on patches or official workarounds.