CVE-2026-9800: Comparison Using Wrong Factors in Red Hat Red Hat Build of Keycloak
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
AI Analysis
Technical Summary
The vulnerability in Red Hat Build of Keycloak's Policy Enforcer arises from improper comparison logic involving the access-denied page path. Authenticated users can exploit this by crafting request URLs that include the configured access-denied page path, bypassing all authorization checks such as roles, scopes, and UMA permissions. This flaw effectively allows unauthorized access to protected resources. The CVSS 3.1 base score is 8.1, indicating a high severity with network attack vector, low attack complexity, and requiring low privileges but no user interaction. No vendor advisory details on remediation or affected versions are currently provided.
Potential Impact
An attacker with valid authentication can bypass all authorization policies in Keycloak, gaining unauthorized access to protected resources. This compromises confidentiality and integrity of the protected data and services. Availability is not impacted. The vulnerability affects access control mechanisms critical to secure authorization enforcement.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9800 for current remediation guidance. Until an official fix is available, consider restricting access to the configured access-denied page path and monitoring for unusual access patterns involving this path. Avoid relying solely on the Policy Enforcer for authorization enforcement in affected deployments.
CVE-2026-9800: Comparison Using Wrong Factors in Red Hat Red Hat Build of Keycloak
Description
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
CVSS v3.1
Score 8.1high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Red Hat Build of Keycloak's Policy Enforcer arises from improper comparison logic involving the access-denied page path. Authenticated users can exploit this by crafting request URLs that include the configured access-denied page path, bypassing all authorization checks such as roles, scopes, and UMA permissions. This flaw effectively allows unauthorized access to protected resources. The CVSS 3.1 base score is 8.1, indicating a high severity with network attack vector, low attack complexity, and requiring low privileges but no user interaction. No vendor advisory details on remediation or affected versions are currently provided.
Potential Impact
An attacker with valid authentication can bypass all authorization policies in Keycloak, gaining unauthorized access to protected resources. This compromises confidentiality and integrity of the protected data and services. Availability is not impacted. The vulnerability affects access control mechanisms critical to secure authorization enforcement.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9800 for current remediation guidance. Until an official fix is available, consider restricting access to the configured access-denied page path and monitoring for unusual access patterns involving this path. Avoid relying solely on the Policy Enforcer for authorization enforcement in affected deployments.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-05-28T04:00:06.454Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-9800","vendor":"Red Hat"}]
Threat ID: 6a3d5b514853345fc13372dd
Added to database: 06/25/2026, 16:46:09 UTC
Last enriched: 06/25/2026, 17:00:55 UTC
Last updated: 06/25/2026, 18:31:23 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.