CVE-2026-16103
Received
Received - Intake
Keycloak CIBA Token Redemption Bypass via Brute-Force Protection
Vulnerability report for CVE-2026-16103, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-17
Last updated on: 2026-07-17
Assigner: Red Hat, Inc.
Description
Description
A flaw was found in the keycloak-services component of Keycloak. This issue is an incomplete fix for CVE-2026-9798, where brute-force protection checks were added to the Client-Initiated Backchannel Authentication (CIBA) initiation handler but were omitted from the token redemption handler. This allows an attacker with valid client credentials to obtain access and refresh tokens for a user account that has been locked due to brute-force protection, provided the authentication request was started before the lockout occurred and was approved by the user.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | keycloak_services | * |
| redhat | keycloak_services | From 2026-01-01 (inc) to 2026-12-31 (exc) |
| redhat | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |