CVE-2026-16103
Received Received - Intake

Keycloak CIBA Token Redemption Bypass via Brute-Force Protection

Vulnerability report for CVE-2026-16103, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Red Hat, Inc.

Description

A flaw was found in the keycloak-services component of Keycloak. This issue is an incomplete fix for CVE-2026-9798, where brute-force protection checks were added to the Client-Initiated Backchannel Authentication (CIBA) initiation handler but were omitted from the token redemption handler. This allows an attacker with valid client credentials to obtain access and refresh tokens for a user account that has been locked due to brute-force protection, provided the authentication request was started before the lockout occurred and was approved by the user.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
redhat keycloak_services *
redhat keycloak_services From 2026-01-01 (inc) to 2026-12-31 (exc)
redhat keycloak *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an incomplete fix for CVE-2026-9798 in Keycloak's keycloak-services component. It involves a missing brute-force protection check in the token redemption handler for Client-Initiated Backchannel Authentication (CIBA). Attackers with valid client credentials can bypass account lockouts by initiating a request before lockout, having the user approve it, and then redeeming the token within the expiry window.

Detection Guidance

Detecting this vulnerability requires monitoring Keycloak logs for unusual CIBA token redemption activities. Check for multiple successful token redemptions from the same client ID after a brute-force lockout event. Review logs for auth_req_id usage outside normal approval windows.

Impact Analysis

If you use Keycloak with CIBA enabled, an attacker could gain unauthorized access to your account even after it was locked due to brute-force attempts. This could lead to data breaches, unauthorized actions, or further exploitation of your account privileges.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating compliance requirements such as GDPR's data protection principles or HIPAA's access controls. Organizations using Keycloak may fail audits or face penalties due to insufficient brute-force protection.

Mitigation Strategies

Apply the latest Keycloak patch addressing CVE-2026-16103. Ensure brute-force protection checks are enforced in both CIBA initiation and token redemption handlers. Temporarily disable CIBA for affected clients until patched. Monitor for suspicious token redemption patterns.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16103. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart