GHSA-q6h7-xxp7-7429
Keycloak has an Authentication Bypass by Primary Weakness
상세
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 No fixed version published yet for org.keycloak:keycloak-services (maven). Pin to a known-safe version or switch to an alternative.
26.5.0 No fixed version published yet for org.keycloak:keycloak-services (maven). Pin to a known-safe version or switch to an alternative.
참고
- https://nvd.nist.gov/vuln/detail/CVE-2026-9798 [ADVISORY]
- https://github.com/keycloak/keycloak/issues/49432 [WEB]
- https://github.com/keycloak/keycloak/pull/49791 [WEB]
- https://github.com/keycloak/keycloak/pull/49903 [WEB]
- https://github.com/keycloak/keycloak/pull/49905 [WEB]
- https://github.com/keycloak/keycloak/commit/11c2695064cd93da1d333df3f69d4a4141e86c29 [WEB]
- https://github.com/keycloak/keycloak/commit/2edc6b112e2dedce63062b89ab3c7ae542e0d9ac [WEB]
- https://github.com/keycloak/keycloak/commit/a11e3254efc16ae72ce5092b93b9f557a4ba43ae [WEB]
- https://access.redhat.com/security/cve/CVE-2026-9798 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=2482470 [WEB]
- https://github.com/keycloak/keycloak [PACKAGE]