CVE-2026-9798 PUBLISHED

Keycloak: keycloak: brute-force protection bypass in ciba flow

Assigner: redhat
Reserved: 28.05.2026 Published: 28.05.2026 Updated: 28.05.2026

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Build of Keycloak
Versions	Default: affected

Workarounds

To mitigate this issue, ensure that Client-Initiated Backchannel Authentication (CIBA) is not enabled in Keycloak realms unless explicitly required. If CIBA is enabled, consider disabling it to prevent the bypass of brute-force protection mechanisms. Consult Keycloak documentation for instructions on managing CIBA configuration.

Credits

Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue.

References

Problem Types

Authentication Bypass by Primary Weakness CWE