Brute-Force Protection Flaw in Keycloak Services by Red Hat
CVE-2026-16103

4.3MEDIUM

What is CVE-2026-16103?

A vulnerability exists within the keycloak-services component of Keycloak that relates to an incomplete remedy of a previous issue. While brute-force protection measures were implemented for the Client-Initiated Backchannel Authentication (CIBA) initiation handler, they were not extended to cover the token redemption handler. As a result, an attacker could leverage this oversight to gain access and refresh tokens for accounts that were otherwise locked due to brute-force protection, provided they initiated the authentication prior to the lockout and received user approval.

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank johanw for reporting this issue.
.