CVE-2026-9798

Vulnerability

A flaw in Keycloak, an open-source identity and access management solution, allows the Client-Initiated Backchannel Authentication (CIBA) flow to bypass the account lockout mechanism that normally triggers after repeated failed login attempts. The vulnerability affects the CIBA flow when a user account has been temporarily locked due to brute-force detection. The condition requires the attacker to possess valid client credentials and to target a locked account. Affected versions have not been explicitly enumerated in the available references, but the flaw is present in the open-source Keycloak project and may affect deployments using CIBA [1][2].

Exploitation

An attacker with valid client credentials can exploit this vulnerability by initiating a CIBA authentication request for a user whose account has been temporarily locked due to multiple failed login attempts. During the CIBA flow, Keycloak does not honor the account lockout state, allowing the attacker to continue sending authentication requests and, if successful, obtain tokens. The attack requires no user interaction and can be performed remotely against any exposed CIBA endpoint [1][2].

Impact

Successful exploitation allows the attacker to bypass the brute-force protection for a locked account, enabling repeated authentication attempts and possibly obtaining authentication tokens. This undermines the security mechanism designed to prevent credential guessing attacks, potentially leading to unauthorized access to the affected user's account and associated protected resources [1][2].

Mitigation

As of the publication date (2026-05-28), no fixed version or specific workaround has been disclosed in the available references. Administrators should monitor Red Hat's security advisories and the Keycloak project for updates. Disabling the CIBA flow or restricting its use to trusted clients may be considered as an interim measure, though no official guidance has been provided [1][2].