CVE-2026-9798 Overview
CVE-2026-9798 is a brute-force protection bypass in Keycloak, the open-source identity and access management platform. The flaw allows an attacker holding valid client credentials to abuse the Client-Initiated Backchannel Authentication (CIBA) flow against a temporarily locked user account. Although the account is locked after repeated failed login attempts, the CIBA path continues to accept authentication requests and issue tokens. This breaks the assumption that lockout policies apply uniformly across all authentication channels. The weakness is categorized under [CWE-305] (Authentication Bypass by Primary Weakness).
Critical Impact
Authenticated clients can continue probing locked accounts through the CIBA flow, undermining brute-force lockout controls and enabling further unauthorized authentication attempts.
Affected Products
- Keycloak (open-source identity and access management)
- Red Hat build of Keycloak (see Red Hat advisory)
- Deployments exposing the CIBA authentication flow to trusted clients
Discovery Timeline
- 2026-05-28 - CVE-2026-9798 published to the National Vulnerability Database (NVD)
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-9798
Vulnerability Analysis
Keycloak enforces a brute-force protection mechanism that temporarily locks user accounts after a configurable number of failed authentication attempts. The lockout is intended to halt password guessing across all authentication entry points. CVE-2026-9798 demonstrates that the CIBA flow does not honor this state.
CIBA is an OpenID Connect extension that lets a client initiate authentication on behalf of a user through a decoupled device or channel. The client authenticates to the token endpoint with its own credentials and requests user authentication asynchronously. In a vulnerable Keycloak instance, the CIBA flow does not consult the brute-force lockout status for the targeted user. As a result, an attacker who controls a registered client can continue submitting authentication requests against locked users and may receive issued tokens.
Root Cause
The root cause is inconsistent enforcement of brute-force protection across authentication flows. The lockout check is applied to interactive flows but is missing from the CIBA backchannel path, leaving an authentication-bypass-by-primary-weakness condition.
Attack Vector
Exploitation requires network access to the Keycloak token endpoint and possession of valid client credentials configured for CIBA. The attacker triggers repeated failed logins to place a user account into a locked state, then pivots to the CIBA flow to continue authentication attempts against that same account. User interaction is required to approve the CIBA request, which constrains exploitability but does not eliminate the bypass.
No verified public exploit code is available. Refer to the Red Hat CVE Advisory and Red Hat Bug Report #2482470 for vendor technical details.
Detection Methods for CVE-2026-9798
Indicators of Compromise
- Successful CIBA token issuance for a user account whose interactive logins were recently blocked by brute-force protection.
- Repeated authentication_request calls to the CIBA endpoint from a single client targeting one or more users.
- Token issuance events on locked accounts in Keycloak event logs.
Detection Strategies
- Enable Keycloak event logging for LOGIN_ERROR, USER_DISABLED_BY_PERMANENT_LOCKOUT, and CIBA-related events, then correlate lockout events with subsequent CIBA token issuance for the same user.
- Alert on clients that consume the CIBA grant type at unusually high rates or that target users with recent failed login bursts.
- Baseline normal CIBA usage per client and flag deviations in request volume or target user diversity.
Monitoring Recommendations
- Forward Keycloak admin and event logs to a centralized logging or SIEM platform for correlation across authentication channels.
- Track which clients are authorized for CIBA and review whether each truly requires the grant.
- Monitor for token issuance to accounts flagged by brute-force protection within the lockout window.
How to Mitigate CVE-2026-9798
Immediate Actions Required
- Inventory all Keycloak clients with the CIBA grant type enabled and disable it where not required.
- Apply the Keycloak or Red Hat build of Keycloak update once available, per the Red Hat CVE Advisory.
- Rotate client secrets for any CIBA-capable clients suspected of misuse.
- Review event logs for token issuance against accounts that were locked at the time of issuance.
Patch Information
Consult the Red Hat CVE Advisory and Red Hat Bug Report #2482470 for fixed package versions and update guidance specific to your Keycloak distribution.
Workarounds
- Restrict the CIBA grant type to a minimal set of trusted, audited clients until patched builds are deployed.
- Tighten brute-force protection thresholds and increase lockout duration to reduce the window of abuse.
- Require strong client authentication, such as private_key_jwt, for any client allowed to use CIBA.
- Place additional network controls in front of the Keycloak token endpoint to limit which sources can reach the CIBA flow.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
