CVE-2026-9798
ADVISORY - githubSummary
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
EPSS Score: 0.00206 (0.107)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Authentication Bypass by Primary Weakness
ADVISORY - github
Authentication Bypass by Primary Weakness
ADVISORY - redhat
Authentication Bypass by Primary Weakness
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in