High severity7.5NVD Advisory· Published Apr 2, 2026· Updated Apr 16, 2026
CVE-2026-4634
CVE-2026-4634
Description
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | < 26.5.7 | 26.5.7 |
Affected products
12cpe:2.3:a:redhat:build_of_keycloak:26.2.15:*:*:*:text-only:*:*:*+ 4 more
- cpe:2.3:a:redhat:build_of_keycloak:26.2.15:*:*:*:text-only:*:*:*
- cpe:2.3:a:redhat:build_of_keycloak:26.2:*:*:*:text-only:*:*:*
- cpe:2.3:a:redhat:build_of_keycloak:26.4.11:*:*:*:text-only:*:*:*
- cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:text-only:*:*:*
- cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*
- osv-coords7 versionspkg:apk/chainguard/keycloak-26.5pkg:apk/chainguard/keycloak-26.5-iamguarded-compatpkg:apk/chainguard/keycloak-fips-26.5pkg:apk/chainguard/keycloak-fips-26.5-iamguarded-fipspkg:apk/wolfi/keycloak-26.5pkg:apk/wolfi/keycloak-26.5-iamguarded-compatpkg:maven/org.keycloak/keycloak-services
< 26.5.7-r0+ 6 more
- (no CPE)range: < 26.5.7-r0
- (no CPE)range: < 26.5.7-r0
- (no CPE)range: < 26.5.6-r4
- (no CPE)range: < 26.5.6-r4
- (no CPE)range: < 26.5.7-r0
- (no CPE)range: < 26.5.7-r0
- (no CPE)range: < 26.5.7
Patches
Vulnerability mechanics
References
10- access.redhat.com/errata/RHSA-2026:6475nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2026:6476nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2026:6477nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2026:6478nvdVendor AdvisoryWEB
- access.redhat.com/security/cve/CVE-2026-4634nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-h4wv-g838-66g3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-4634ghsaADVISORY
- github.com/keycloak/keycloak/commit/b455ee4f28abb6f2120aff72fd179589cc5267a0ghsaWEB
- github.com/keycloak/keycloak/issues/47716ghsaWEB
News mentions
0No linked articles in our index yet.