MEDIUM 4.9

CVE-2026-9801: Keycloak LDAP OutOfMemoryError Denial of Service

Keycloak has a vulnerability that allows a high-privileged attacker—such as a realm administrator or someone who has compromised an upstream LDAP server—to crash the Keycloak service by sending a specially crafted LDAP password policy response. When triggered during authentication, this causes the Java process to run out of memory and shut down, knocking the service offline for all users on that node. The attack requires either legitimate administrative access to configure a malicious LDAP directory or prior compromise of an existing LDAP backend.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.9 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-1284
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-26

NVD description (verbatim)

A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper handling of malformed LDAP password policy responses in Keycloak's authentication flow. When a user attempts to authenticate and Keycloak queries an LDAP server for password policy information, a crafted response can trigger an uncontrolled memory allocation, resulting in an OutOfMemoryError in the JVM. This leads to immediate process termination. The issue is rooted in insufficient input validation and resource bounds enforcement when parsing LDAP policy data, classified under CWE-1284 (Improper Validation of Specified Quantity in Input).

Business impact

This vulnerability directly impacts service availability. A successful exploit renders the Keycloak instance unavailable to all users and applications relying on that node for authentication and authorization. In multi-node deployments, the attack targets individual nodes; however, if the malicious LDAP configuration or compromise affects the entire directory backend, repeated crashes could disrupt the authentication infrastructure. For organizations with single-node Keycloak deployments or those where all nodes query the same LDAP source, this becomes a critical availability risk despite the MEDIUM CVSS score.

Affected systems

Red Hat build of Keycloak is confirmed affected. Organizations running Keycloak instances that authenticate users via LDAP—whether configured directly by administrators or inherited from upstream directory services—are in scope. The attack surface is limited to realms explicitly configured with LDAP authentication, but all realms on the affected node experience the denial of service once the vulnerability is triggered.

Exploitability

Exploitation requires high privilege: either administrative access to Keycloak to configure a malicious LDAP server connection, or prior compromise of an upstream LDAP directory. The attack itself is trivial once those conditions are met—sending a malformed LDAP response during an authentication attempt triggers the fault. No user interaction or additional complexity is required. However, the privilege barrier significantly limits the number of realistic attack scenarios. This is not a remote code execution path; it is strictly a denial of service mechanism.

Remediation

Patch Keycloak to the fixed version specified in the official Red Hat advisory. After patching, verify that all LDAP server connections are properly validated and originate from trusted, secure infrastructure. Review LDAP server configurations and network segmentation to ensure upstream directory services cannot be trivially compromised. For interim mitigation on non-critical environments, consider temporarily disabling LDAP authentication until a patch is deployed, though this may not be practical in production.

Patch guidance

Obtain and deploy the patched version of Red Hat build of Keycloak from Red Hat's security advisory. Verify the patch version against the advisory to ensure you are deploying the correct release. Test the patch in a staging environment with live LDAP authentication scenarios before production rollout. Document the patching timeline and ensure all Keycloak nodes in your deployment are updated, as nodes running older versions remain vulnerable.

Detection guidance

Monitor Keycloak JVM logs for OutOfMemoryError events coupled with LDAP authentication activity. Sudden, unexplained Keycloak process restarts correlated with failed authentication attempts may indicate exploitation attempts. Examine LDAP server logs for anomalous or malformed policy requests. Alert on repeated authentication failures followed by service crashes. In a SOC context, correlate Keycloak availability drops with LDAP traffic analysis to detect suspicious patterns. Baseline normal JVM memory usage and flag deviations during authentication peaks.

Why prioritize this

Although assigned MEDIUM severity, this vulnerability deserves elevated attention in organizations heavily dependent on Keycloak for centralized authentication. The availability impact is severe, and the privilege barrier, while real, may be lower in environments where LDAP administrators are less carefully segregated from potential compromise vectors or where supply-chain risks to LDAP infrastructure exist. Prioritization should reflect your authentication architecture criticality and LDAP trust posture, not CVSS alone.

Risk score, explained

The CVSS 3.1 score of 4.9 (MEDIUM) reflects the high-privilege requirement (PR:H) and lack of confidentiality or integrity impact (C:N, I:N). However, the availability impact is rated high (A:H) due to complete service loss on affected nodes. The score appropriately discounts for the admin-level access prerequisite but does not fully capture the business criticality of authentication infrastructure outages in most enterprise contexts. Organizations should apply business context to this technical score.

Frequently asked questions

Can this vulnerability be exploited remotely without prior access or LDAP administrative privileges?

No. Exploitation requires either the ability to configure an LDAP server connection in Keycloak (realm administrator) or prior compromise of an upstream LDAP directory. A remote, unauthenticated attacker cannot trigger this vulnerability without one of these preconditions.

Does this affect Keycloak instances that do not use LDAP authentication?

Keycloak instances configured to use other authentication mechanisms (database, OIDC federation, etc.) are not affected by this specific vulnerability. However, realms on the same node that do use LDAP are still vulnerable.

If I have multiple Keycloak nodes, does compromising the LDAP server affect all of them?

If all nodes query the same LDAP backend and the attacker can inject malformed policy responses, each node becomes independently susceptible to the crash. A well-coordinated attack or persistent LDAP compromise could degrade the entire cluster over time through repeated node crashes.

What is the difference between this vulnerability and a typical DDoS attack on Keycloak?

This is not a network-layer DDoS. It is an internal resource exhaustion attack that leverages Keycloak's trust in LDAP responses. Once triggered, it kills the JVM instantly, bypassing any rate limiting or connection throttling. Traditional DDoS defenses do not mitigate it; the fix is to validate LDAP input properly.

This analysis is based on the published CVE record and Red Hat vendor disclosures as of the modification date provided. Exploit code and step-by-step attack instructions are not included. Organizations must verify patch availability and applicability against their specific Keycloak version and deployment topology with official Red Hat documentation. SEC.co provides this intelligence for informational purposes to support risk assessment and remediation planning; consult your vendor and security team for production deployment decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).