Description
A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.
Published: 2026-06-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Keycloak's client registration service allows an attacker who already holds a Registration Access Token to re‑enable a client that an administrator has deliberately disabled. The vulnerability bypasses the normal disabled‑client guard and permits the attacker to reset the client’s secret, granting unauthorized access to the client’s API and potentially compromising both confidentiality and integrity.

Affected Systems

Red Hat Build of Keycloak is affected. All releases that include the vulnerable client registration service are impacted; no specific version numbers are listed in the data.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity risk. The EPSS score is unavailable, so the precise likelihood of exploitation remains unknown. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote; based on the description, it is inferred that an attacker only needs a valid Registration Access Token, which can be issued during dynamic client registration, to exploit this flaw from an external network once the token is in hand.

Generated by OpenCVE AI on June 25, 2026 at 18:40 UTC.

Remediation

Vendor Workaround

To mitigate this issue, restrict network access to the Keycloak Dynamic Client Registration endpoint. Configure network firewalls to allow connections only from trusted hosts or networks that legitimately require access to this functionality. This limits the exposure of the vulnerable endpoint to unauthorized access attempts.


OpenCVE Recommended Actions

  • Configure network firewalls to allow connections to the Keycloak Dynamic Client Registration endpoint only from trusted hosts or networks that legitimately require access, thereby limiting exposure of the vulnerable endpoint.
  • If feasible, disable the Dynamic Client Registration endpoint in Keycloak or revoke any unnecessary Registration Access Tokens to reduce the attack surface.
  • Monitor Keycloak logs for unexpected client enablement events and verify that disabled clients cannot be re‑enabled without proper authorization.

Generated by OpenCVE AI on June 25, 2026 at 18:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:26.4::el9
References

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.6::el9
References

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.
Title Keycloak: keycloak: attacker can re-enable and take over disabled clients via registration access token
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-613
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-29T18:10:46.870Z

Reserved: 2026-05-27T12:48:48.084Z

Link: CVE-2026-9705

cve-icon Vulnrichment

Updated: 2026-06-29T18:10:43.454Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T15:59:03Z

Links: CVE-2026-9705 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:50Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration