CVE-2026-4634 Overview
A flaw was found in Keycloak that allows an unauthenticated attacker to exploit a Denial of Service (DoS) vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service for the Keycloak server.
Critical Impact
Unauthenticated attackers can remotely exhaust server resources and cause prolonged service outages by exploiting improper input validation in the OIDC token endpoint.
Affected Products
- Red Hat Single Sign-On (RHSSO)
- Keycloak
- Red Hat build of Keycloak
Discovery Timeline
- April 2, 2026 - CVE-2026-4634 published to NVD
- April 2, 2026 - Last updated in NVD database
Technical Details for CVE-2026-4634
Vulnerability Analysis
This vulnerability (CWE-1050: Excessive Platform Resource Consumption within a Loop) exists in Keycloak's OpenID Connect token endpoint implementation. The flaw stems from inadequate validation of the scope parameter length in incoming POST requests. When an attacker submits a request containing an abnormally long scope string, the server attempts to process this input, consuming excessive CPU and memory resources during parsing and validation operations.
The attack is particularly concerning because it requires no authentication, making it accessible to any network-connected attacker. The server becomes overwhelmed attempting to handle the malformed request, degrading performance for legitimate users and potentially causing complete service unavailability.
Root Cause
The vulnerability is classified under CWE-1050 (Excessive Platform Resource Consumption within a Loop), indicating that the Keycloak application fails to properly limit the processing of user-supplied input in the scope parameter. Without adequate bounds checking or resource consumption limits, the server iteratively processes the excessively long scope value, leading to resource exhaustion. The absence of input length validation allows attackers to trigger computationally expensive operations that scale with input size.
Attack Vector
The attack is network-based, requiring no authentication or user interaction. An attacker sends specially crafted HTTP POST requests to the Keycloak OIDC token endpoint (/realms/{realm}/protocol/openid-connect/token) with a scope parameter containing an excessively long string value. The attack has low complexity and can be executed remotely against any exposed Keycloak instance.
The malicious request causes the server to enter a resource-intensive processing state, consuming significant CPU cycles and memory. Repeated requests can compound the effect, eventually exhausting server resources and denying service to legitimate authentication requests.
Detection Methods for CVE-2026-4634
Indicators of Compromise
- Unusually large HTTP POST requests targeting the /realms/*/protocol/openid-connect/token endpoint
- Abnormally high CPU utilization on Keycloak server processes
- Memory pressure or out-of-memory conditions on authentication servers
- Increased response latency or timeouts for OIDC token requests
Detection Strategies
- Monitor HTTP request payload sizes to the OIDC token endpoint for anomalous values exceeding normal scope parameter lengths
- Implement alerting on sustained high CPU usage patterns on Keycloak instances
- Analyze web application firewall (WAF) logs for POST requests with unusually large body sizes to authentication endpoints
- Configure SentinelOne Singularity to detect resource exhaustion patterns indicative of DoS attacks
Monitoring Recommendations
- Enable detailed access logging for the Keycloak token endpoint to capture request characteristics
- Set up resource utilization thresholds and alerts for Keycloak application servers
- Monitor authentication service availability and response times as early warning indicators
- Review and correlate logs from load balancers and reverse proxies fronting Keycloak deployments
How to Mitigate CVE-2026-4634
Immediate Actions Required
- Apply the security patches provided in the Red Hat Security Advisories (RHSA-2026:6475, RHSA-2026:6476, RHSA-2026:6477, RHSA-2026:6478)
- Implement request body size limits at the web server or reverse proxy level
- Configure rate limiting for the OIDC token endpoint to mitigate exploitation attempts
- Review and restrict network access to Keycloak instances where possible
Patch Information
Red Hat has released multiple security advisories addressing this vulnerability:
- Red Hat Security Advisory RHSA-2026:6475
- Red Hat Security Advisory RHSA-2026:6476
- Red Hat Security Advisory RHSA-2026:6477
- Red Hat Security Advisory RHSA-2026:6478
For additional details, see the Red Hat CVE-2026-4634 Information page and Red Hat Bugzilla Report #2450250.
Workarounds
- Configure a reverse proxy or WAF to limit the maximum POST body size for requests to the OIDC token endpoint
- Implement rate limiting at the network edge to throttle excessive requests from single sources
- Deploy Keycloak behind a load balancer with connection and request limits configured
- Consider implementing a web application firewall rule to reject requests with abnormally long scope parameters
# Example Nginx configuration to limit request body size for Keycloak
location /realms/ {
client_max_body_size 8k;
proxy_pass http://keycloak_backend;
# Rate limiting
limit_req zone=keycloak_limit burst=10 nodelay;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
