CVE-2026-9798 Red Hat CVE debrief

Who should care

Organizations using Keycloak for identity and access management, particularly those with CIBA-enabled applications or high-security authentication requirements. Security teams responsible for brute-force protection and authentication flow security. Developers implementing CIBA-based authentication solutions.

Technical summary

The vulnerability exists in Keycloak's implementation of Client-Initiated Backchannel Authentication (CIBA), an OAuth 2.0 extension for decoupled authentication. The brute-force protection mechanism that temporarily locks accounts after repeated failed login attempts is not properly enforced during CIBA flows. An attacker possessing valid client credentials can continue to initiate authentication requests and obtain tokens for a locked account, effectively bypassing the account lockout security control. This requires the attacker to have already obtained valid client credentials through other means, limiting the attack to scenarios where client compromise has occurred.

Defensive priority

medium

Recommended defensive actions

• Review Keycloak CIBA configuration and assess exposure to brute-force attacks via this authentication flow
• Monitor Red Hat Security Advisories and Keycloak security updates for patches addressing CVE-2026-9798
• Implement additional rate limiting or monitoring on CIBA endpoints as a compensating control until patches are available
• Audit authentication logs for anomalous CIBA authentication patterns that may indicate exploitation attempts

Evidence notes

Vulnerability description sourced from NVD record with references to Red Hat Security and Bugzilla. CVSS vector confirms network attack vector with low attack complexity. Vendor attribution to Keycloak based on description content; vendor field marked for review due to 'Unknown Vendor' classification in source data.

Official resources