CVE-2026-9798: Keycloak Account Lockout Bypass via CIBA Flow
Keycloak's account lockout feature, which temporarily disables accounts after repeated failed login attempts, can be bypassed when an attacker possesses valid client credentials. By using the Client-Initiated Backchannel Authentication (CIBA) flow—a legitimate OAuth 2.0 feature—attackers can circumvent the lockout and continue attempting to authenticate or obtain tokens. This undermines brute-force protection and creates a secondary path for unauthorized access once the attacker has obtained initial client credentials.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-305
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9798 describes an authentication bypass in Keycloak's CIBA implementation. The vulnerability arises from insufficient enforcement of account lockout policies within the CIBA flow. When a user account is transitioned to a locked state via the standard login flow (due to CWE-305: Using the Wrong API), the CIBA backchannel authentication handler does not respect or enforce the same lockout state. An attacker with valid OAuth client credentials can exploit this inconsistency to issue authentication requests and potentially obtain tokens on behalf of the locked account, effectively bypassing the intended brute-force mitigation.
Business impact
Organizations relying on Keycloak for user authentication and account security may experience reduced effectiveness of their brute-force defenses. Attackers who obtain valid client credentials—through credential compromise, insider threat, or misconfiguration—gain a secondary attack vector to continue unauthorized authentication attempts even after legitimate users' accounts are locked. This extends the window of opportunity for account takeover and may increase the blast radius of compromised service credentials across federated systems.
Affected systems
Red Hat Build of Keycloak is explicitly affected. The vulnerability applies to deployments where CIBA flow is enabled and where attackers can obtain valid client credentials. Organizations using Keycloak in identity provider or service-to-service authentication roles should assess their client credential inventory and CIBA usage. Patch availability and specific affected version ranges should be verified against Red Hat's security advisories.
Exploitability
Exploitation requires two preconditions: the attacker must possess valid client credentials (CVSS PR:N is notated but context indicates client auth requirement), and the target account must be in a locked state. The attack is network-accessible with low complexity. While not currently tracked as actively exploited in the KEV catalog, the attack is technically straightforward once initial access to client credentials is established, making it moderately concerning in environments where credential hygiene is weak.
Remediation
Apply security updates from Red Hat that enforce account lockout policies consistently across all authentication flows, including CIBA. Verify patch availability and version numbers through Red Hat's official security advisories. Additionally, conduct an inventory of OAuth client credentials in use; revoke or rotate any that are suspected of compromise or have excessive permissions. Consider implementing network-level controls to restrict CIBA endpoints or require step-up authentication for sensitive operations.
Patch guidance
Monitor Red Hat's security advisories for Keycloak patches addressing CVE-2026-9798. Test patches in a non-production environment to ensure compatibility with your CIBA configuration and dependent applications. Prioritize patching systems where CIBA is actively used or where service-to-service authentication is critical. Verify that the patch enforces account lockout state checks before issuing CIBA tokens.
Detection guidance
Monitor Keycloak authentication logs for anomalous patterns: repeated CIBA flow requests from a single client credential against locked accounts, or successful token issuance for locked accounts via CIBA when standard login attempts are blocked. Implement alerting on account lockout events followed by CIBA authentication attempts within a short time window. Review client credential usage logs for unexpected or elevated activity, particularly during or shortly after account security incidents.
Why prioritize this
Although CVSS is rated MEDIUM (4.3), the vulnerability merits prioritization in environments where Keycloak is the primary authentication service and CIBA is enabled for high-value integrations. The impact is compounded if client credentials are widely distributed or if account lockout is a primary brute-force defense. Organizations with strong client credential management and limited CIBA usage may defer to a secondary priority.
Risk score, explained
CVSS 4.3 reflects low confidentiality impact, network accessibility, and low complexity, but also acknowledges that user interaction or valid credentials are required. The score does not capture the context-dependent business risk: in organizations with weak credential governance, this vulnerability could facilitate account takeover of sensitive accounts (including administrative accounts) that would justify higher internal risk ratings.
Frequently asked questions
Does this vulnerability allow unauthenticated attackers to bypass account lockout?
No. The attacker must possess valid OAuth client credentials. This is not a zero-day unauthenticated bypass. It requires the attacker to have already obtained client credentials through credential compromise, misconfiguration, or insider access.
If we do not use the CIBA flow, are we vulnerable?
No. If CIBA is not enabled or in use in your Keycloak deployment, this specific bypass does not apply. However, you should verify your Keycloak configuration to confirm CIBA is disabled or not actively used.
What is the difference between CVSS PR:N and the actual credential requirement?
The CVSS PR:N (no privileges required) notation reflects that the attack does not require Keycloak admin rights. However, it does require valid client credentials, which is a form of pre-authentication. This nuance is important for your threat modeling.
Should we revoke all client credentials as a precaution?
Not necessarily, but conduct an immediate audit of client credential distribution, scope, and usage. Revoke or rotate any credentials that are overly permissive, unused, or managed by third parties. Focus on credentials used by high-risk integrations or external services.
This analysis is based on published vulnerability data as of the modification date (2026-06-17). Patch availability, affected version ranges, and specific remediation steps must be verified against Red Hat's official security advisories. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment based on their specific Keycloak deployment, CIBA usage, and credential management practices. This intelligence does not constitute professional security advice; consult with your security team before taking remediation actions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-9791MEDIUMKeycloak Organization Metadata Disclosure in OIDC Tokens
- CVE-2026-9792MEDIUMKeycloak Client Policies ROPC Grant Bypass
- CVE-2026-9793MEDIUMKeycloak JWE Signature Bypass in OIDC Request Objects
- CVE-2026-9794MEDIUMKeycloak SAML ECP Information Disclosure Vulnerability
- CVE-2026-9796MEDIUMKeycloak TOCTOU Privilege Escalation—Persistent Realm-Admin Access
- CVE-2026-9801MEDIUMKeycloak LDAP OutOfMemoryError Denial of Service
- CVE-2026-9802MEDIUMKeycloak Refresh Token Replay After Revocation