Vulnerability Details CVE-2026-9800
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 22.8%
CVSS Severity
CVSS v3 Score 8.1
Products affected by CVE-2026-9800
-
cpe:2.3:a:redhat:build_of_keycloak:*