CVE-2026-9801

Vulnerability

A flaw exists in Keycloak where a remote attacker with high privileges, such as a realm administrator configuring a malicious LDAP server or an attacker compromising an upstream LDAP server, can send a malformed LDAP password policy response during a password authentication request. This triggers an OutOfMemoryError, terminating the Keycloak Java Virtual Machine (JVM) and causing a denial of service. The vulnerability affects all Keycloak versions prior to the fix. [1] [2]

Exploitation

To exploit, the attacker must have high privileges (e.g., realm administrator access) or be able to compromise an existing upstream LDAP server used by Keycloak. The attacker then crafts a malformed LDAP password policy response, which is sent during a regular password authentication request. No user interaction is required beyond the normal authentication flow. The malformed response triggers an OutOfMemoryError, crashing the JVM. [1] [2]

Impact

Successful exploitation results in a denial of service (DoS) for all realms hosted on the affected Keycloak node, as the JVM terminates. This leads to complete service unavailability until the node is restarted. No data confidentiality or integrity impact is reported. [1] [2]

Mitigation

Red Hat has not yet released a fixed version as of the publication date (2026-05-28). The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. As a workaround, administrators should ensure that only trusted LDAP servers are configured and that LDAP server communication is secured (e.g., with TLS). Restricting realm administrator privileges to trusted personnel can also reduce risk. [1] [2]