CVE-2026-9798
Analyzed Analyzed - Analysis Complete
Keycloak CIBA Flow Bypasses Account Lockout Protection

Publication date: 2026-05-28

Last updated on: 2026-06-03

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-03
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-9798
EUVD
EUVD-2026-32717
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-305 The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Keycloak, an open-source identity and access management solution. It occurs when a user account is temporarily locked due to repeated failed login attempts. An attacker who has valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection mechanism.

By exploiting this flaw, the attacker can continue making authentication attempts and receive token issuance even though the account should be locked, potentially allowing unauthorized access attempts to proceed.

Impact Analysis

This vulnerability can impact you by allowing an attacker to bypass account lockout protections designed to prevent brute-force attacks. As a result, unauthorized users may continue attempting to authenticate and obtain tokens, increasing the risk of unauthorized access to your systems or data.

Compliance Impact

The vulnerability in Keycloak allows an attacker to bypass brute-force protection mechanisms, potentially enabling unauthorized access attempts even when user accounts are locked. This could lead to unauthorized access to sensitive personal or protected health information.

Such unauthorized access risks may impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls to protect user data and prevent unauthorized access.

However, the provided information does not explicitly detail the compliance implications or specific regulatory impacts of this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9798. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart