CVE-2026-9803
Authentication Bypass in Keycloak ClientRegistrationAuth
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit it by sending a specially crafted POST request containing a malformed 'Authorization: Bearer' header to any client registration endpoint.
When this malformed request is processed, it causes an ArrayIndexOutOfBoundsException, which makes the server respond with an HTTP 500 error.
This ultimately results in a Denial of Service (DoS) condition for the affected service.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a Denial of Service (DoS) on the affected Keycloak service.
An attacker can cause the service to become unavailable by triggering an error that causes the server to return HTTP 500 responses.
This can disrupt authentication and client registration processes that rely on Keycloak, potentially affecting availability of applications and services that depend on it.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP 500 errors returned from the client registration endpoints of Keycloak when receiving POST requests with malformed 'Authorization: Bearer' headers.
One way to detect exploitation attempts is to capture and analyze network traffic for POST requests to client registration endpoints that contain malformed 'Authorization: Bearer' headers.
For example, using command-line tools like curl or tcpdump to simulate or capture such requests:
- Use curl to send a malformed Authorization header and observe the response code: curl -X POST -H "Authorization: Bearer malformed_token" https://<keycloak-server>/auth/realms/<realm>/clients-registrations/default -v
- Use tcpdump or Wireshark to capture POST requests to the client registration endpoint and filter for Authorization headers: tcpdump -i <interface> -A -s 0 'tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
Monitoring server logs for repeated HTTP 500 errors on client registration endpoints can also help identify potential exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying any available patches or updates provided by the vendor to fix the flaw in the ClientRegistrationAuth component.
If patches are not immediately available, consider implementing network-level protections such as firewall rules or web application firewall (WAF) rules to block or filter malformed 'Authorization: Bearer' headers in POST requests to client registration endpoints.
Additionally, monitoring and alerting on HTTP 500 errors from these endpoints can help detect and respond to exploitation attempts quickly.