Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-28T04:18:25 keycloak: Keycloak: Denial of Service via malformed LDAP password policy response 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CWE-1284

A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.

This vulnerability in Keycloak presents a denial-of-service risk when an LDAP user-storage provider is configured. A highly privileged attacker, such as a realm administrator or through a compromised LDAP connection, can send a malformed LDAP password-policy response. This triggers an OutOfMemoryError, causing the Keycloak JVM to terminate and resulting in a complete outage of the node. Red Hat would like to thank Seongkuk Park for reporting this issue. To mitigate this vulnerability, ensure that Keycloak's LDAP user-storage providers are configured to connect only to trusted and secure LDAP servers. Avoid configuring LDAP federation with unverified or potentially malicious LDAP endpoints. Additionally, always use TLS for LDAP connections to prevent Man-in-the-Middle attacks. If an upstream LDAP server is compromised, it should be isolated and secured immediately. Red Hat Build of Keycloak Affected rhbk/keycloak-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-9801 https://nvd.nist.gov/vuln/detail/CVE-2026-9801