Vulnerability Details CVE-2026-9798
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 18.2%
CVSS Severity
CVSS v3 Score 4.3
References
Products affected by CVE-2026-9798
-
cpe:2.3:a:redhat:build_of_keycloak:-