CVE-2026-9798
EUVD-2026-3271728.05.2026, 06:16
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| redhat | build_of_keycloak | - |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
Vulnerability Media Exposure