PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-16103 Red Hat CVE debrief

CVE-2026-16103 is a medium-severity vulnerability in Keycloak's keycloak-services component. It's an incomplete fix for CVE-2026-9798, allowing attackers with valid client credentials to obtain access and refresh tokens for a user account locked due to brute-force protection if the authentication request was started before the lockout and approved by the user. This issue affects users of Keycloak, especially those with client-initiated backchannel authentication (CIBA) enabled. The vulnerability has a CVSS score of 4.3 and is classified as MEDIUM.

Vendor
Red Hat
Product
Red Hat Build of Keycloak
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Keycloak, especially those with client-initiated backchannel authentication (CIBA) enabled, should be aware of this vulnerability and take steps to mitigate it. This includes reviewing and updating Keycloak configurations, implementing additional monitoring for suspicious authentication requests, and considering compensating controls to limit the impact of potential exploitation. Operators, platform administrators, vulnerability management teams, and security teams may be impacted by this vulnerability.

Technical summary

The flaw was found in the keycloak-services component of Keycloak. This issue is an incomplete fix for CVE-2026-9798, where brute-force protection checks were added to the Client-Initiated Backchannel Authentication (CIBA) initiation handler but were omitted from the token redemption handler. This allows an attacker with valid client credentials to obtain access and refresh tokens for a user account that has been locked due to brute-force protection, provided the authentication request was started before the lockout occurred and was approved by the user.

Defensive priority

Medium priority due to the requirement for valid client credentials and specific conditions for exploitation.

Recommended defensive actions

  • Review and update Keycloak configurations to ensure CIBA is properly secured.
  • Implement additional monitoring for suspicious authentication requests.
  • Consider applying compensating controls to limit the impact of potential exploitation.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-17T17:17:14.263Z and has not been modified since then. The NVD entry is currently Awaiting Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The incomplete fix for CVE-2026-9798 allows attackers with valid client credentials to obtain access and refresh tokens under specific conditions.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:14.263Z and has not been modified since then.