MEDIUM 5.3

CVE-2026-9803: Keycloak ClientRegistrationAuth Denial of Service Vulnerability

Keycloak's client registration endpoint contains a flaw that allows unauthenticated attackers to crash the service by sending malformed authentication headers. When an attacker sends a specially crafted POST request with a broken 'Authorization: Bearer' header to the client registration endpoint, the server throws an exception and returns an error, effectively taking the service offline temporarily. No data is stolen or modified—this is purely a denial of service issue.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-125
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-26

NVD description (verbatim)

A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9803 is a vulnerability in the ClientRegistrationAuth component of Keycloak. The flaw stems from improper handling of malformed Bearer token headers in the Authorization field when processing client registration requests. An unauthenticated remote attacker can trigger an ArrayIndexOutOfBoundsException by crafting a POST request with a malformed Authorization header to any client registration endpoint. The exception is not caught at the appropriate layer, resulting in an HTTP 500 response and service unavailability. The vulnerability is classified under CWE-125 (Out-of-bounds Read), indicating the underlying issue involves improper array indexing during token parsing.

Business impact

This vulnerability enables denial of service attacks against Keycloak deployments, potentially disrupting authentication and authorization services for dependent applications. In identity-centric architectures where Keycloak acts as a central authentication broker, successful exploitation could cascade outages across multiple downstream services relying on the identity provider. The impact is bounded to availability; confidentiality and integrity are not compromised. Organizations relying on Keycloak for SSO or multi-tenant authentication should view service availability disruption as a business-critical risk.

Affected systems

Red Hat build of Keycloak is affected by this vulnerability. Organizations running Keycloak as an identity provider or authentication service are at risk. The vulnerability is network-accessible and requires no user authentication to trigger, making it exploitable by any network-capable attacker with visibility to the client registration endpoint. Verify the specific Keycloak version in your environment against the vendor advisory to confirm impact scope.

Exploitability

Exploitability is straightforward. The attack requires only network access and the ability to craft a POST request with a malformed Bearer header—no authentication, no user interaction, and no advanced techniques are required. The CVSS vector reflects this accessibility (AV:N/AC:L/PR:N/UI:N), indicating any unauthenticated remote attacker can attempt exploitation. However, this is not tracked in the Known Exploited Vulnerabilities (KEV) catalog, suggesting public proof-of-concept exploitation or active weaponization may be limited or not yet documented at scale.

Remediation

Apply the latest security patch from Red Hat for the build of Keycloak. Consult the Red Hat security advisory linked to CVE-2026-9803 for specific patch versions and upgrade paths. As an interim measure, implement network-level access controls to restrict traffic to the client registration endpoint to only trusted network sources, reducing the attack surface. Consider deploying a WAF or reverse proxy that can validate Authorization header format before forwarding to Keycloak, though this should not substitute for patching.

Patch guidance

Obtain and apply the security patch from Red Hat as detailed in their official security advisory for CVE-2026-9803. Verify patch version numbers and compatibility with your deployment from the vendor advisory directly. Test patches in a non-production environment first, particularly if Keycloak serves multiple dependent applications. Schedule patching during a maintenance window to minimize service disruption. After patching, validate client registration functionality to ensure no regression.

Detection guidance

Monitor for HTTP 500 errors originating from client registration endpoints, particularly clusters of such errors in a short time window. Log and alert on POST requests to registration endpoints with malformed or truncated Authorization headers (e.g., 'Bearer' without a token, or 'Bearer' followed by non-base64 characters). Analyze access logs for repeated requests from the same source IP to registration endpoints, which may indicate reconnaissance or attack attempts. Use IDS/IPS signatures that detect malformed Bearer token patterns if available from your vendor.

Why prioritize this

Though rated MEDIUM severity (CVSS 5.3) with limited attack surface compared to remote code execution flaws, this vulnerability warrants prompt remediation because it directly threatens service availability of a critical infrastructure component—the authentication system. In zero-trust and identity-centric security models, availability of the identity provider is non-negotiable. Organizations should prioritize patching based on deployment criticality: Keycloak instances serving production authentication should be patched first. The lack of KEV tracking suggests the vulnerability may not yet be actively exploited at scale, affording a window to patch proactively before adversaries develop or deploy tools.

Risk score, explained

The CVSS 5.3 MEDIUM rating reflects a network-accessible, unauthenticated denial of service vulnerability with no impact to confidentiality or integrity. The score appropriately captures the ease of attack (AV:N/AC:L/PR:N/UI:N) tempered by the bounded scope of impact (availability only, no data compromise). For organizations where Keycloak availability is critical to business continuity, the business risk may exceed the numerical CVSS, justifying expedited patching despite the MEDIUM label.

Frequently asked questions

Can this vulnerability be exploited to steal user credentials or authenticate as another user?

No. CVE-2026-9803 is purely a denial of service flaw. It does not compromise confidentiality (no data theft) or integrity (no unauthorized modifications or authentication bypass). An attacker can disrupt service but cannot access user data or masquerade as legitimate users.

Do I need to reset user passwords or rotate credentials after exploitation?

No credential rotation is required unless there is separate evidence of a different compromise. This vulnerability does not allow attackers to capture or modify user credentials. If you identify indicators of exploitation (HTTP 500 clusters), focus on remediation and forensic investigation of whether other attacks occurred simultaneously.

Can network segmentation mitigate this vulnerability until patching?

Partial mitigation is possible. Restricting network access to client registration endpoints to only trusted sources reduces exploitability. However, this is a compensating control, not a fix. If any untrusted network segment can reach the endpoint, the vulnerability remains exploitable. Always prioritize patching over relying on access controls alone.

What if I don't know my Keycloak version?

Check your Keycloak deployment documentation, admin console, or container image metadata for the version number. Compare it against the Red Hat security advisory for CVE-2026-9803 to determine if your version is vulnerable. If uncertain, assume vulnerability and test patching in a lab environment first.

This analysis is provided for informational purposes to support security decision-making. It is not legal advice, and organizations should consult their legal and risk teams before making remediation or deployment decisions. Patch version numbers, affected product lists, and timeline guidance should be verified against the official Red Hat security advisory for CVE-2026-9803. SEC.co makes no warranty regarding the completeness or accuracy of vulnerability information; always reference official vendor sources for authoritative details. Organizations are responsible for assessing the applicability and risk of vulnerabilities within their specific environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).