A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.

This flaw in Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow is rated as Low impact. The vulnerability allows bypassing brute-force protection when a user account is locked, but only if CIBA is explicitly enabled and configured (non-default), and the user approves the authentication request on their device. This significantly limits the attack surface in typical Red Hat deployments where CIBA is not enabled by default. Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue. To mitigate this issue, ensure that Client-Initiated Backchannel Authentication (CIBA) is not enabled in Keycloak realms unless explicitly required. If CIBA is enabled, consider disabling it to prevent the bypass of brute-force protection mechanisms. Consult Keycloak documentation for instructions on managing CIBA configuration. Red Hat Build of Keycloak Affected rhbk/keycloak-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-9798 https://nvd.nist.gov/vuln/detail/CVE-2026-9798