CVE-2026-9798
ADVISORY - githubSummary
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
EPSS Score: 0.00206 (0.107)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Authentication Bypass by Primary Weakness
ADVISORY - github
Authentication Bypass by Primary Weakness
ADVISORY - redhat
Authentication Bypass by Primary Weakness
NIST
CREATED
UPDATED
ADVISORY IDCVE-2026-9798
EXPLOITABILITY SCORE
2.8
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
4.3mediumGitHub
CREATED
UPDATED
ADVISORY IDGHSA-q6h7-xxp7-7429
EXPLOITABILITY SCORE
2.8
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
4.3mediumRed Hat
CREATED
UPDATED
ADVISORY IDCVE-2026-9798
EXPLOITABILITY SCORE
2.8
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)