Description
A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.
Published: 2026-05-28
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Keycloak permits an attacker with high privileges—such as a realm administrator who can configure an LDAP server or an attacker who has compromised an upstream LDAP server—to send a malformed LDAP password‑policy response during a password authentication request. The malformed response triggers an OutOfMemoryError, causing the Keycloak Java Virtual Machine to terminate and leaving all realms on the affected node unavailable. The attack results in a denial of service, affecting only availability and not exposing data or enabling code execution. The weakness is identified as CWE‑1284.

Affected Systems

The vulnerability impacts Red Hat Build of Keycloak. No specific product versions are listed in the advisory, so all installations of this build may be affected until further information is released.

Risk and Exploitability

The CVSS score of 4.9 indicates a low‑to‑moderate severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, indicating a lower likelihood of widespread exploitation. The attacker must have realm‑administrator privileges or control an LDAP server that Keycloak trusts. Once those conditions are met, the attacker can remotely trigger the OutOfMemoryError by sending the crafted LDAP response. The primary attack vector is a remote LDAP interaction, inferred from the description.

Generated by OpenCVE AI on May 28, 2026 at 07:51 UTC.

Remediation

Vendor Workaround

To mitigate this vulnerability, ensure that Keycloak's LDAP user-storage providers are configured to connect only to trusted and secure LDAP servers. Avoid configuring LDAP federation with unverified or potentially malicious LDAP endpoints. Additionally, always use TLS for LDAP connections to prevent Man-in-the-Middle attacks. If an upstream LDAP server is compromised, it should be isolated and secured immediately.

OpenCVE Recommended Actions

  • Configure all LDAP user‑storage providers to connect only to trusted LDAP servers
  • Use TLS for all LDAP connections to prevent Man‑in‑the‑Middle attacks
  • Avoid configuring LDAP federation with unverified or potentially malicious LDAP endpoints
  • If an upstream LDAP server is compromised, isolate and secure it immediately

Generated by OpenCVE AI on May 28, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 28 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Thu, 28 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.
Title Keycloak: keycloak: denial of service via malformed ldap password policy response
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-1284
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-28T04:42:10.331Z

Reserved: 2026-05-28T04:00:46.722Z

Link: CVE-2026-9801

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T06:16:29.493

Modified: 2026-05-28T13:44:54.327

Link: CVE-2026-9801

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T04:18:25Z

Links: CVE-2026-9801 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T09:30:05Z

Weaknesses