CVE-2026-9801
Modified Modified - Updated After Analysis
OutOfMemoryError DoS in Keycloak via Malformed LDAP Response

Publication date: 2026-05-28

Last updated on: 2026-06-10

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-16
NVD
CVE-2026-9801
EUVD
EUVD-2026-32718
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should restrict high privilege access such as realm administrator permissions to trusted users only, and avoid configuring untrusted or malicious LDAP servers.

Additionally, monitor and secure upstream LDAP servers to prevent compromise that could be exploited to send malformed LDAP password policy responses.

Applying any available patches or updates from Keycloak or your vendor addressing this CVE is also recommended to prevent the OutOfMemoryError and subsequent denial of service.

Executive Summary

This vulnerability exists in Keycloak and can be exploited by a remote attacker who has high privileges, such as a realm administrator or someone who has compromised an upstream LDAP server.

The attacker sends a malformed LDAP password policy response during a password authentication request, which triggers an OutOfMemoryError in the Keycloak Java Virtual Machine (JVM).

This error causes the JVM to terminate, leading to a denial of service (DoS) for all realms on the affected node.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition.

When exploited, the Keycloak JVM crashes due to an OutOfMemoryError, causing all realms on the affected node to become unavailable.

This can disrupt authentication services and potentially halt access to applications relying on Keycloak for identity and access management.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9801. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart