CVE-2026-9798

ADVISORY - github

Summary

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.

EPSS Score: 0.00206 (0.107)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Authentication Bypass by Primary Weakness

ADVISORY - github

Authentication Bypass by Primary Weakness

ADVISORY - redhat

Authentication Bypass by Primary Weakness


NIST

CREATED

UPDATED

ADVISORY IDCVE-2026-9798
EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

4.3medium

GitHub

CREATED

UPDATED

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

4.3medium

Red Hat

CREATED

UPDATED

ADVISORY IDCVE-2026-9798
EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

4.3medium