Description
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Keycloak allows an attacker who possesses valid client credentials to use the Client‑Initiated Backchannel Authentication (CIBA) flow to bypass the temporary lock that normally prevents logins after repeated failed attempts. This exploitation enables continued authentication attempts and token issuance even while an account is marked as locked, thereby undermining the security controls designed to thwart brute‑force attacks. The weakness maps to CWE‑305, reflecting an excessive or improper permission granted to an attacker through credential misuse.

Affected Systems

The vulnerability affects Red Hat Build of Keycloak. No specific version information is provided, so all deployments of this product are potentially susceptible until a patch is applied.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk level, and the EPSS score is not available, suggesting limited publicly known exploitation. The issue is not listed in the CISA KEV catalog. Exploitation requires an attacker to have legitimate client credentials and the ability to invoke CIBA. Once these conditions are met, the attacker can repeatedly attempt logins or obtain tokens against a locked account, which could lead to further unauthorized access attempts.

Generated by OpenCVE AI on May 28, 2026 at 07:22 UTC.

Remediation

Vendor Workaround

To mitigate this issue, ensure that Client-Initiated Backchannel Authentication (CIBA) is not enabled in Keycloak realms unless explicitly required. If CIBA is enabled, consider disabling it to prevent the bypass of brute-force protection mechanisms. Consult Keycloak documentation for instructions on managing CIBA configuration.

OpenCVE Recommended Actions

  • Disable or remove Client‑Initiated Backchannel Authentication from all Keycloak realms unless it is absolutely required.
  • Adjust realm configuration so that accounts locked by brute‑force protection cannot authenticate via CIBA.
  • Restrict the use of client credentials to trusted applications that legitimately require CIBA.
  • Monitor the Keycloak vendor channel and apply any newer release that addresses this flaw as soon as it becomes available.

Generated by OpenCVE AI on May 28, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 28 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Thu, 28 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
Title Keycloak: keycloak: brute-force protection bypass in ciba flow
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-305
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-28T04:37:09.472Z

Reserved: 2026-05-28T03:51:03.615Z

Link: CVE-2026-9798

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T06:16:29.330

Modified: 2026-05-28T13:44:54.327

Link: CVE-2026-9798

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T03:53:01Z

Links: CVE-2026-9798 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T08:30:11Z

Weaknesses