CVE-2026-9798: Authentication Bypass by Primary Weakness in Red Hat Red Hat Build of Keycloak
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
AI Analysis
Technical Summary
A vulnerability in Red Hat Build of Keycloak allows bypassing brute-force protection mechanisms when user accounts are locked after repeated failed login attempts. Specifically, during the CIBA flow, an attacker possessing valid client credentials can continue authentication attempts and obtain tokens despite the account lockout state. This issue arises from improper enforcement of account lockout during the backchannel authentication process. The CVSS 3.1 base score is 4.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and limited confidentiality impact.
Potential Impact
The vulnerability permits attackers with valid client credentials to circumvent account lockout protections, potentially enabling continued brute-force attempts or unauthorized token issuance. This could lead to increased risk of unauthorized access to user accounts. However, the impact is limited to confidentiality with no direct integrity or availability effects. There are no known active exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9798 for current remediation guidance. Until an official fix is available, organizations should monitor for unusual authentication activity involving the CIBA flow and consider additional compensating controls such as restricting client credentials or enhancing monitoring around authentication attempts. No vendor advisory indicates that no action is required or that the issue is already mitigated.
CVE-2026-9798: Authentication Bypass by Primary Weakness in Red Hat Red Hat Build of Keycloak
Description
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
CVSS v3.1
Score 4.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
A vulnerability in Red Hat Build of Keycloak allows bypassing brute-force protection mechanisms when user accounts are locked after repeated failed login attempts. Specifically, during the CIBA flow, an attacker possessing valid client credentials can continue authentication attempts and obtain tokens despite the account lockout state. This issue arises from improper enforcement of account lockout during the backchannel authentication process. The CVSS 3.1 base score is 4.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and limited confidentiality impact.
Potential Impact
The vulnerability permits attackers with valid client credentials to circumvent account lockout protections, potentially enabling continued brute-force attempts or unauthorized token issuance. This could lead to increased risk of unauthorized access to user accounts. However, the impact is limited to confidentiality with no direct integrity or availability effects. There are no known active exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9798 for current remediation guidance. Until an official fix is available, organizations should monitor for unusual authentication activity involving the CIBA flow and consider additional compensating controls such as restricting client credentials or enhancing monitoring around authentication attempts. No vendor advisory indicates that no action is required or that the issue is already mitigated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-05-28T03:51:03.615Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-9798","vendor":"Red Hat"}]
Threat ID: 6a17daeae29bf47b50b180f2
Added to database: 5/28/2026, 6:04:26 AM
Last enriched: 5/28/2026, 6:18:48 AM
Last updated: 5/29/2026, 6:22:58 PM
Views: 23
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.