Skip to main content

Keycloak CVE-2026-9798

| EUVDEUVD-2026-32717 MEDIUM
Authentication Bypass by Primary Weakness (CWE-305)
2026-05-28 secalert@redhat.com GHSA-q6h7-xxp7-7429
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Red Hat
4.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 06:33 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 50 maven packages depend on org.keycloak:keycloak-services (22 direct, 28 indirect)

Ecosystem-wide dependent count for version 26.5.0.

DescriptionCVE.org

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.

AnalysisAI

Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow fails to enforce brute-force account lockouts, allowing an attacker with valid OAuth client credentials to continue initiating authentication requests and obtain tokens for a user account that should be temporarily locked. This undermines the core account-protection mechanism designed to throttle credential-stuffing and password-guessing campaigns. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though its CVSS score of 4.3 understates the strategic value of bypassing a lockout policy in an identity provider.

Technical ContextAI

Keycloak is a widely deployed open-source Identity and Access Management (IAM) solution supporting OAuth 2.0, OpenID Connect, and SAML. The Client-Initiated Backchannel Authentication (CIBA) flow (RFC 9156) is a decoupled authentication mechanism where an OAuth client initiates authentication on behalf of a user, and the user approves the request on a separate authentication device. Unlike the standard Authorization Code flow, CIBA does not redirect the user's browser, making it a distinct code path in Keycloak's authentication stack. The root cause is CWE-305 (Authentication Bypass by Primary Weakness): the CIBA request handler does not consult or respect the brute-force protection state of the targeted user account before initiating authentication processing and issuing tokens. The affected component is the CIBA flow implementation within Keycloak's authentication broker, tracked under Red Hat Bugzilla ID 2482470.

RemediationAI

The primary remediation is to apply the vendor-released patch identified in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-9798; however, an exact fixed version number was not present in the available intelligence and should be confirmed directly from that advisory before upgrading. As a compensating control pending patching, administrators should consider disabling the CIBA grant type on realms where it is not operationally required - this removes the vulnerable code path entirely but will break any applications relying on the backchannel authentication flow. Alternatively, restricting which OAuth clients are permitted to use the CIBA flow via Keycloak client-level grant type configuration reduces the attack surface to trusted, internally controlled applications. Organizations should also increase brute-force lockout thresholds and duration so that even if bypass is possible, the window of exploitability yields fewer successful credential guesses per attempt. Note that disabling CIBA entirely is a breaking change for CIBA-dependent integrations and should be tested in non-production environments first.

CVE-2024-8883 MEDIUM POC
6.1 Sep 19

A misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploita

CVE-2026-3047 HIGH
8.8 Mar 05

Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowin

CVE-2026-9704 HIGH
8.8 May 27

Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of

CVE-2026-3009 HIGH
8.1 Mar 05

Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowin

CVE-2024-1132 HIGH
8.1 Apr 17

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS

CVE-2024-7885 HIGH
7.5 Aug 21

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across

CVE-2024-10234 HIGH
7.3 Oct 22

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Ra

CVE-2026-37980 MEDIUM
6.9 Apr 14

Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or mana

CVE-2026-9802 MEDIUM
6.8 May 28

Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse th

CVE-2025-7784 MEDIUM
6.5 Jul 18

Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows administrative users with the manag

CVE-2024-4629 MEDIUM
6.5 Sep 03

A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no

CVE-2024-7260 MEDIUM
6.1 Sep 09

An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely e

Vendor StatusVendor

Share

CVE-2026-9798 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy