CVE-2026-9798

Description

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.

References

• https://access.redhat.com/security/cve/CVE-2026-9798
• https://bugzilla.redhat.com/show_bug.cgi?id=2482470