Medium severity4.3NVD Advisory· Published May 28, 2026· Updated Jun 3, 2026
CVE-2026-9798
CVE-2026-9798
Description
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- access.redhat.com/security/cve/CVE-2026-9798nvdMitigationVendor Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor Advisory
News mentions
1- Keycloak: Twelve Vulnerabilities Disclosed, One High SeverityVypr Intelligence · May 28, 2026