CVE-2026-9801
OutOfMemoryError DoS in Keycloak via Malformed LDAP Response
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Keycloak and can be exploited by a remote attacker who has high privileges, such as a realm administrator or someone who has compromised an upstream LDAP server.
The attacker sends a malformed LDAP password policy response during a password authentication request, which triggers an OutOfMemoryError in the Keycloak Java Virtual Machine (JVM).
This error causes the JVM to terminate, leading to a denial of service (DoS) for all realms on the affected node.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) condition.
When exploited, the Keycloak JVM crashes due to an OutOfMemoryError, causing all realms on the affected node to become unavailable.
This can disrupt authentication services and potentially halt access to applications relying on Keycloak for identity and access management.