Vulnerability Details CVE-2026-4634
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 22.0%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-4634
-
cpe:2.3:a:redhat:build_of_keycloak:-
-
cpe:2.3:a:redhat:build_of_keycloak:26.2
-
cpe:2.3:a:redhat:build_of_keycloak:26.2.15
-
cpe:2.3:a:redhat:build_of_keycloak:26.4
-
cpe:2.3:a:redhat:build_of_keycloak:26.4.11