Skip to main content

Red Hat Keycloak CVE-2026-16103

| EUVDEUVD-2026-45225 MEDIUM
2026-07-17 redhat
4.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
MEDIUM
qualitative
NVD
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
2.6 LOW

OAuth client credentials required (PR:L); specific race-condition timing between CIBA approval and account lockout raises complexity (AC:H); only token confidentiality disclosed (C:L).

3.1 AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 17, 2026 - 17:17 vuln.today

DescriptionNVD

A flaw was found in the keycloak-services component of Keycloak. This issue is an incomplete fix for CVE-2026-9798, where brute-force protection checks were added to the Client-Initiated Backchannel Authentication (CIBA) initiation handler but were omitted from the token redemption handler. This allows an attacker with valid client credentials to obtain access and refresh tokens for a user account that has been locked due to brute-force protection, provided the authentication request was started before the lockout occurred and was approved by the user.

AnalysisAI

Brute-force lockout bypass in Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow allows an attacker holding valid OAuth client credentials to redeem previously approved authentication requests and obtain access and refresh tokens for a user account that has since been locked. This is an incomplete fix for CVE-2026-9798: the brute-force protection check was applied to the CIBA initiation handler but was never added to the token redemption handler, creating a gap that persists after the earlier patch. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or compromise OAuth client credentials
Delivery
Initiate CIBA auth request targeting locked-out victim
Exploit
Victim user approves back-channel authentication prompt
Execution
Trigger or await victim account brute-force lockout
Persist
Submit approved auth_req_id to token redemption endpoint
Impact
Receive access and refresh tokens for locked account

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the attacker must possess valid OAuth client credentials (client_id and client_secret) for a client registered in the target Keycloak realm - these are application-level secrets, not user passwords; (2) the target user account must have an active, user-approved CIBA authentication request that was initiated before the account became locked - this means the user must have actively approved the back-channel authentication prompt; and (3) the user account must subsequently enter a locked state due to brute-force protection before the attacker redeems the auth_req_id at the token endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The real-world risk is moderate and scenario-constrained. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls a registered OAuth client in the Keycloak realm initiates a CIBA authentication request for a targeted user account and waits for the user to approve the push notification or out-of-band prompt - which the user does, believing it to be a legitimate sign-in. If the target user's account is then locked by brute-force protection (whether triggered by the attacker on a separate channel or by prior failed attempts), the attacker can still call the CIBA token redemption endpoint with the approved auth_req_id and receive valid access and refresh tokens, effectively bypassing the lockout mechanism. …
Remediation Patch availability has not been confirmed with an exact fix version from the available references; a Red Hat vendor advisory exists at https://access.redhat.com/security/cve/CVE-2026-16103 and should be checked for updated package versions. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9800 HIGH
8.1 Jun 25

Authorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access con

CVE-2026-11800 HIGH
8.1 Jun 25

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re

CVE-2026-7504 HIGH
8.1 May 19

Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus

CVE-2026-9087 HIGH
8.1 May 20

Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea

CVE-2026-4636 HIGH
8.1 Apr 02

Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai

CVE-2026-9099 HIGH
7.7 Jun 25

Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management right

CVE-2026-7307 HIGH
7.5 May 19

Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads

CVE-2026-4634 HIGH
7.5 Apr 02

Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su

CVE-2026-7507 HIGH
7.5 May 19

Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take

CVE-2026-4282 HIGH
7.4 Apr 02

Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a

CVE-2026-9086 HIGH
7.3 Jun 25

Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permis

CVE-2026-3872 HIGH
7.3 Apr 02

Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web

Share

CVE-2026-16103 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy