Medium severity5.3NVD Advisory· Published May 28, 2026· Updated Jun 10, 2026
CVE-2026-9803
CVE-2026-9803
Description
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3(expand)+ 1 more
- (no CPE)
- cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
Patches
Vulnerability mechanics
References
4- access.redhat.com/security/cve/CVE-2026-9803nvdVendor Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor Advisory
- access.redhat.com/errata/RHSA-2026:25097nvd
- access.redhat.com/errata/RHSA-2026:25098nvd
News mentions
1- Keycloak: Twelve Vulnerabilities Disclosed, One High SeverityVypr Intelligence · May 28, 2026