PatchSiren cyber security CVE debrief
CVE-2026-9803 Red Hat CVE debrief
A vulnerability in Keycloak's ClientRegistrationAuth component allows remote unauthenticated attackers to cause a Denial of Service (DoS) condition. The flaw stems from improper handling of malformed 'Authorization: Bearer' headers in POST requests to client registration endpoints, triggering an ArrayIndexOutOfBoundsException that results in HTTP 500 errors. This vulnerability was published on May 28, 2026, and is currently undergoing analysis in the NVD. The issue is classified as CWE-125 (Out-of-bounds Read) with a CVSS 3.1 score of 5.3 (MEDIUM severity). No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Red Hat
- Product
- Red Hat Build of Keycloak
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
Organizations running Keycloak identity and access management solutions, particularly those exposing client registration endpoints to untrusted networks. Security teams responsible for application availability and DoS protection. Development teams maintaining Keycloak deployments or custom client registration implementations.
Technical summary
The vulnerability exists in Keycloak's ClientRegistrationAuth component, which fails to properly validate malformed 'Authorization: Bearer' headers. An unauthenticated remote attacker can exploit this by sending a specially crafted POST request to any client registration endpoint. The malformed input triggers an ArrayIndexOutOfBoundsException, causing the server to return HTTP 500 errors and resulting in service unavailability. The attack requires no authentication, has low attack complexity, and can be executed over the network without user interaction. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating network-based, low-complexity attacks with no privileges required, affecting availability only.
Defensive priority
medium
Recommended defensive actions
- Review Keycloak client registration endpoint configurations and implement input validation for Authorization headers
- Monitor application logs for ArrayIndexOutOfBoundsException errors and HTTP 500 responses on registration endpoints
- Apply security updates from Red Hat when available, referencing the vendor security advisory
- Consider implementing rate limiting on client registration endpoints to reduce DoS impact
- Review network access controls to restrict exposure of client registration endpoints to authorized sources only
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. Vendor attribution to Red Hat based on reference domain evidence with low confidence; product name not confirmed. CVSS vector and CWE classification from NVD source data. Timeline dates derived from CVE published and modified timestamps per source corpus.
Official resources
2026-05-28