CVE-2026-9803

Vulnerability

A flaw exists in Keycloak's ClientRegistrationAuth component, which is reachable through any client registration endpoint. A remote unauthenticated attacker can trigger an ArrayIndexOutOfBoundsException by sending a specially crafted POST request containing a malformed Authorization: Bearer header. This vulnerable code path is present in versions prior to the fix, as referenced in [1] and [2].

Exploitation

The attacker requires no authentication and can be remote. The exploitation involves sending a POST request to any client registration endpoint with a malformed Authorization: Bearer header (e.g., missing or improperly formatted token). The malformed header triggers an ArrayIndexOutOfBoundsException during server-side parsing, leading to an HTTP 500 error response [1][2].

Impact

Successful exploitation results in an HTTP 500 error, effectively denying service to legitimate requests targeting the affected client registration endpoints. This constitutes a Denial of Service (DoS) condition, impacting service availability [1][2]. The extent of the DoS is limited to the affected component, but it can block legitimate client registration operations.

Mitigation

The vulnerability is fixed in Keycloak version 25.0.2 (released 2026-06-15) as per the advisory [1]. Users should upgrade to this version or later. No workaround is documented for versions prior to the fix. The issue is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication [1][2].