CVE-2026-9798

ADVISORY - github

Summary

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.

EPSS Score: 0.00206 (0.107)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Authentication Bypass by Primary Weakness

ADVISORY - github

Authentication Bypass by Primary Weakness

ADVISORY - redhat

Authentication Bypass by Primary Weakness


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in