MEDIUM 4.3 Maven
Keycloak has an Authentication Bypass by Primary Weakness
GHSA-q6h7-xxp7-7429 · CVE-2026-9798
Published · Modified
Description
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-9798
- WEB https://github.com/keycloak/keycloak/issues/49432
- WEB https://github.com/keycloak/keycloak/pull/49791
- WEB https://github.com/keycloak/keycloak/pull/49903
- WEB https://github.com/keycloak/keycloak/pull/49905
- WEB https://github.com/keycloak/keycloak/commit/11c2695064cd93da1d333df3f69d4a4141e86c29
- WEB https://github.com/keycloak/keycloak/commit/2edc6b112e2dedce63062b89ab3c7ae542e0d9ac
- WEB https://github.com/keycloak/keycloak/commit/a11e3254efc16ae72ce5092b93b9f557a4ba43ae
- WEB https://access.redhat.com/security/cve/CVE-2026-9798
- WEB https://bugzilla.redhat.com/show_bug.cgi?id=2482470
- PACKAGE https://github.com/keycloak/keycloak
Ready to move
Start Securing
Free, no credit card | First findings in minutes