A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
{
"github_reviewed_at": "2026-07-01T21:22:38Z",
"nvd_published_at": "2026-05-28T05:16:40Z",
"github_reviewed": true,
"cwe_ids": [
"CWE-280"
],
"severity": "MODERATE"
}