Listen to this Post
Intro – How the Vulnerability Works
CVE-2026-9798 is a flaw in the Client-Initiated Backchannel Authentication (CIBA) flow of Keycloak (Red Hat Build of Keycloak). The CIBA flow is an OAuth 2.0 extension that allows a client application to request user authentication via a direct backchannel communication, without requiring user interaction on the consumption device.
The issue occurs when a user account is temporarily locked due to repeated failed login attempts (the standard brute-force protection mechanism). An attacker who possesses valid client credentials (i.e., a legitimate client ID and secret) can use the CIBA flow to bypass this lockout.
The root cause is that Keycloak does not enforce the account lockout state during the CIBA authentication process. When a client sends a CIBA authentication request for a locked account, Keycloak processes it as if the account were not locked, allowing the attacker to continue sending authentication requests and receiving tokens. This effectively nullifies the brute-force protection designed to prevent automated password guessing attacks.
The attack has a CVSS 3.1 base score of 4.3 (Medium), with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. Exploitation requires network access, low attack complexity, no privileges, user interaction, and results in limited confidentiality impact. The vulnerability is not listed in the CISA KEV catalog, and no active exploits have been reported in the wild.
DailyCVE Form
DailyCVE Form:
Platform: Red Hat Build
Version: all affected
Vulnerability: CIBA lock bypass
Severity: Medium (4.3)
Date: 2026-05-28
Prediction: No ETA yet
What Undercode Say – Analytics
The following bash script demonstrates how a client can initiate a CIBA authentication request to Keycloak, bypassing the account lockout state:
!/bin/bash CIBA authentication request example (bypasses lockout) KEYCLOAK_URL="http://your-keycloak:8080" REALM="master" CLIENT_ID="private" CLIENT_SECRET="your-client-secret" TARGET_USER="[email protected]" Step 1: Send CIBA backchannel authentication request curl -X POST "${KEYCLOAK_URL}/realms/${REALM}/protocol/openid-connect/ext/ciba/auth" \ -d "client_id=${CLIENT_ID}" \ -d "client_secret=${CLIENT_SECRET}" \ -d "login_hint=${TARGET_USER}" \ -d "scope=openid" Step 2: Poll for token (if poll mode) The auth_req_id from the response is used to poll the token endpoint
Exploit – Proof of Concept
An attacker with a valid client ID and secret can exploit the CIBA endpoint to continue authentication attempts against a locked account. The steps are:
1. Obtain a legitimate client ID and secret (e.g., from a compromised or publicly available client).
2. Use a script (like the one above) to send repeated CIBA authentication requests to the `/bc-authorize` or `/ext/ciba/auth` endpoint.
3. Despite the account being locked, Keycloak processes each request and returns an auth_req_id.
4. The attacker can then exchange the `auth_req_id` for an access token at the token endpoint, successfully authenticating as the locked user.
Protection – Mitigations
- Disable CIBA: If not explicitly required, disable the CIBA flow entirely. In Keycloak, go to your realm → Authentication → CIBA Policy, and ensure the flow is disabled.
- Network Restrictions: Restrict access to the CIBA endpoints to only trusted client IP addresses.
- Stronger Client Credentials: Use strong, randomly generated client secrets and rotate them regularly.
- Monitor CIBA Activity: Monitor logs for unusual CIBA authentication requests, especially for accounts that are supposed to be locked.
- Apply Patches: Once Red Hat releases a security update, apply it immediately.
Impact – Potential Consequences
- Bypass of Brute-Force Protection: The primary security control against automated password attacks is neutralized.
- Continued Unauthorized Access Attempts: Attackers can keep trying different credentials for a locked account without triggering lockout.
- Token Issuance for Locked Accounts: The attacker might successfully obtain an access token, gaining unauthorized access to resources.
- Elevation of Attack Surface: The CIBA flow, if enabled, becomes a weaker link in the authentication chain.
- Limited Direct Impact: The vulnerability only affects confidentiality with a low base score, but it can be a stepping stone for more serious attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
