Brute-Force Protection Flaw in Keycloak Services by Red Hat
CVE-2026-16103
4.3MEDIUM
What is CVE-2026-16103?
A vulnerability exists within the keycloak-services component of Keycloak that relates to an incomplete remedy of a previous issue. While brute-force protection measures were implemented for the Client-Initiated Backchannel Authentication (CIBA) initiation handler, they were not extended to cover the token redemption handler. As a result, an attacker could leverage this oversight to gain access and refresh tokens for accounts that were otherwise locked due to brute-force protection, provided they initiated the authentication prior to the lockout and received user approval.
References
CVSS V3.1
Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Red Hat would like to thank johanw for reporting this issue.