CVE-2026-9799
Keycloak: keycloak: unauthorized access to resources via uma permission ticket bypass
Description
A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.
INFO
Published Date :
June 25, 2026, 4:17 p.m.
Last Modified :
June 25, 2026, 4:17 p.m.
Remotely Exploit :
Yes !
Source :
redhat
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | 53f830b8-0a3f-465b-8143-3b8a9948e749 | ||||
| CVSS 3.1 | MEDIUM | [email protected] |
Solution
- Update org.keycloak.authorization to the latest version.
- Review and enforce resource protection policies.
- Disable ownerManagedAccess if not required.
- Avoid PERMISSIVE policy enforcement mode.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-9799 vulnerability anywhere in the article.