By weakness (CWE)
CWE-305: related vulnerabilities
CVEs classified under CWE-305. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
1 published vulnerability
- CVE-2026-9798MEDIUM 4.3
Keycloak's account lockout feature, which temporarily disables accounts after repeated failed login attempts, can be bypassed when an attacker possesses valid client credentials. By using the Client-Initiated Backchannel Authentication (CIBA) flow—a legitimate OAuth 2.0 feature—attackers can circumvent the lockout and continue attempting to authenticate or obtain tokens. This undermines brute-force protection and creates a secondary path for unauthorized access once the attacker has obtained initial client credentials.