PatchSiren cyber security CVE debrief

CVE-2026-9801 Red Hat CVE debrief

A vulnerability in Keycloak allows a remote attacker with high privileges to trigger a denial of service condition. The flaw exists in the handling of LDAP password policy responses during authentication. An attacker who controls or compromises an upstream LDAP server can send a malformed password policy response that causes an OutOfMemoryError, terminating the Keycloak JVM and denying service to all realms on the affected node. The attack requires high privileges (realm administrator or compromised LDAP server), is network-accessible, and has low attack complexity. The vulnerability was published on 2026-05-28 and is currently undergoing analysis. No known exploitation in ransomware campaigns has been reported.

Vendor: Red Hat
Product: Red Hat Build of Keycloak
CVSS: MEDIUM 4.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-28
Original CVE updated: 2026-05-28
Advisory published: 2026-05-28
Advisory updated: 2026-05-28

Who should care

Organizations running Keycloak with LDAP federation, particularly those using external or third-party LDAP servers. Security teams managing identity infrastructure and administrators responsible for Keycloak availability should prioritize monitoring and hardening LDAP integrations.

Technical summary

The vulnerability resides in Keycloak's LDAP integration component. When processing password policy responses from an LDAP server during user authentication, insufficient validation of the response data allows a malformed response to exhaust JVM heap memory. The OutOfMemoryError is unhandled and causes the entire Keycloak process to terminate, affecting all configured realms on that node. The CVSS 3.1 score of 4.9 (Medium) reflects the high privilege requirement (PR:H) that limits attack surface, though the network accessibility (AV:N) and low complexity (AC:L) increase risk for environments with external LDAP dependencies. The weakness is categorized under CWE-1284, indicating improper validation of specified quantities in input data.

Defensive priority

medium

Recommended defensive actions

Review LDAP server configurations and ensure only trusted LDAP servers are configured in Keycloak realms
Monitor Keycloak JVM memory usage and configure appropriate memory limits and garbage collection policies
Implement network segmentation to restrict LDAP server communications to authorized Keycloak nodes only
Apply security updates from Red Hat when available, monitoring the Red Hat security advisory referenced in source materials
Enable logging and alerting for OutOfMemoryError conditions in Keycloak deployments to detect potential exploitation attempts

Evidence notes

Vulnerability description sourced from NVD record with CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H. CWE-1284 (Improper Validation of Specified Quantity in Input) identified as primary weakness. Vendor attribution to Red Hat based on reference domain evidence with low confidence; requires review.

Official resources

2026-05-28