CVE-2026-9798

Published: Mag 28, 2026 Last Modified: Mag 28, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 4,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: required

Scope: unchanged

Confidentiality: low

Integrity: none

Availability: none

Description

AI Translation Available

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.

305

Authentication Bypass by Primary Weakness

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control

Potential Impacts:

Bypass Protection Mechanism

Applicable Platforms

All platforms may be affected

View CWE Details

https://access.redhat.com/security/cve/CVE-2026-9798

https://bugzilla.redhat.com/show_bug.cgi?id=2482470

CVE-2026-9798

Description

Authentication Bypass by Primary Weakness

Common Consequences

Applicable Platforms

Iscriviti alla newsletter