Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-4634 is a denial of service (DoS) vulnerability in Keycloak related to the processing of OpenID Connect (OIDC) scope parameters.

An unauthenticated attacker can send a specially crafted POST request with an excessively long scope parameter to the OIDC token endpoint. Keycloak does not limit the size or number of scopes, leading to very high resource consumption.

The root cause is inefficient processing in the method TokenManager.getRequestedClientScopes(), which uses a String.contains() check that results in O(n²) time complexity relative to the scope string length. This causes exponential delays as the scope list grows.

Proof of concept tests show that a single POST request with about 49 KB of scope data causes roughly 38.6 seconds of server processing, and 99 KB causes about 151.8 seconds, effectively causing a denial of service.

Multiple grant types are affected, including Resource Owner Password Credentials, client credentials, and token refreshes. The token refresh endpoint is vulnerable even before token validation, allowing unauthenticated exploitation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) on the Keycloak server by exhausting server resources and causing prolonged processing times.

An attacker can exploit this flaw without authentication by sending a crafted POST request with a very large scope parameter, leading to server slowdown or unavailability.

As a result, legitimate users may be unable to authenticate or obtain tokens, disrupting access to applications and services that rely on Keycloak for identity and access management.

This can impact business continuity and availability of critical systems that depend on Keycloak for authentication.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusually large or excessively long POST requests sent to the OpenID Connect token endpoint of the Keycloak server, specifically those containing very large scope parameters.

One approach is to capture and analyze HTTP POST requests to the token endpoint and check the size of the scope parameter. Requests with scope data sizes in the tens of kilobytes (e.g., 49 KB or more) are suspicious and may indicate an exploit attempt.

Network or system administrators can use tools like curl or wget to simulate such requests for testing detection, or use packet capture tools like tcpdump or Wireshark to monitor traffic.

• Use tcpdump to capture POST requests to the token endpoint: tcpdump -A -s 0 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
• Use grep or similar tools to filter logs for POST requests with large scope parameters.
• Use curl to test the endpoint with a large scope parameter: curl -X POST -d 'scope=<very_long_scope_string>' https://<keycloak-server>/auth/realms/<realm>/protocol/openid-connect/token

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include limiting the size and number of scope parameters accepted by the Keycloak server at the OpenID Connect token endpoint.

Administrators should apply any available patches or updates from Keycloak or their Linux distribution that address this vulnerability as soon as possible.

If patches are not yet available, consider implementing network-level protections such as rate limiting or filtering to block or throttle excessively large POST requests targeting the token endpoint.

Monitoring and alerting on abnormal resource consumption or prolonged processing times on the Keycloak server can also help detect and respond to exploitation attempts.

Useful 0 Not Useful 0