Skip to main content

Keycloak EUVDEUVD-2026-32719

| CVE-2026-9803 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-28 secalert@redhat.com GHSA-cpf7-j4cf-vqx4
5.3
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.3 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 06:32 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 50 maven packages depend on org.keycloak:keycloak-services (22 direct, 28 indirect)

Ecosystem-wide dependent count for version 26.5.0.

DescriptionCVE.org

A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.

AnalysisAI

Keycloak's ClientRegistrationAuth component can be crashed by a remote unauthenticated attacker through a specially crafted POST request bearing a malformed 'Authorization: Bearer' header, triggering an unhandled ArrayIndexOutOfBoundsException and returning HTTP 500 to all subsequent callers of the affected endpoint. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites for exploitation beyond network reachability, making any publicly exposed Keycloak client registration endpoint a viable target. No public exploit has been identified at time of analysis and no EPSS data was supplied, but the trivial attack mechanics mean no specialized tooling is required to reproduce the denial of service.

Technical ContextAI

Keycloak is a widely-deployed open-source identity and access management platform commonly used for OAuth 2.0, OpenID Connect, and SAML federation. The ClientRegistrationAuth component governs authentication checks on the Dynamic Client Registration API endpoints (typically at /realms/{realm}/clients-registrations/...). The root cause is CWE-125 (Out-of-bounds Read): in the Java runtime, this manifests as an ArrayIndexOutOfBoundsException when header-parsing logic attempts to access an index beyond array bounds on a truncated or structurally incomplete Bearer token string - for example, a header value of 'Bearer' with no trailing token. Java does not allow memory corruption on out-of-bounds access, so the result is a thrown exception rather than heap corruption; however, if the exception propagates unhandled through the request lifecycle it terminates the HTTP response with a 500 status and renders the endpoint dysfunctional for the request duration. No CPE strings were included in the provided intelligence; exact affected Keycloak versions must be sourced from the Red Hat advisory. The 'Buffer Overflow' tag in the source data is technically inaccurate for a managed Java runtime - the underlying mechanism is array index miscalculation, consistent with CWE-125, not a native memory buffer overwrite.

RemediationAI

No specific patched version was confirmed in the available input data; organizations should monitor https://access.redhat.com/security/cve/CVE-2026-9803 and https://bugzilla.redhat.com/show_bug.cgi?id=2482465 for patch releases and apply vendor-issued updates as soon as they become available. As an effective compensating control, disable Dynamic Client Registration entirely within each Keycloak realm via the admin console (Realm Settings → Client Registration → Disable) if the feature is not operationally required - this eliminates the vulnerable code path with no impact on standard authentication or token issuance flows. If dynamic registration must remain enabled, restrict network access to the /realms/*/clients-registrations/* path prefix at the reverse proxy or WAF layer to trusted management networks only, directly neutralizing the unauthenticated attack vector; note that this requires accurate network segmentation and does not address the underlying defect. Input validation at the WAF level to reject malformed Authorization headers is a lower-confidence secondary control, as header normalization behavior varies by proxy implementation.

CVE-2024-8883 MEDIUM POC
6.1 Sep 19

A misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploita

CVE-2026-3047 HIGH
8.8 Mar 05

Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowin

CVE-2026-9704 HIGH
8.8 May 27

Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of

CVE-2026-3009 HIGH
8.1 Mar 05

Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowin

CVE-2024-1132 HIGH
8.1 Apr 17

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS

CVE-2024-7885 HIGH
7.5 Aug 21

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across

CVE-2024-10234 HIGH
7.3 Oct 22

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Ra

CVE-2026-37980 MEDIUM
6.9 Apr 14

Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or mana

CVE-2026-9802 MEDIUM
6.8 May 28

Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse th

CVE-2025-7784 MEDIUM
6.5 Jul 18

Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows administrative users with the manag

CVE-2024-4629 MEDIUM
6.5 Sep 03

A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no

CVE-2024-7260 MEDIUM
6.1 Sep 09

An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely e

Vendor StatusVendor

Share

EUVD-2026-32719 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy