Denial of Service Vulnerability in Keycloak Server by Red Hat
CVE-2026-4634

7.5HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.2
Red Hat Build Of Keycloak 26.2.15
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.11
Vendor
CVE Published:
2 April 2026

What is CVE-2026-4634?

A flaw exists in the Keycloak server where an unauthenticated attacker can exploit it by sending a specially crafted POST request containing an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This attack can cause significant resource consumption and prolonged processing times, potentially leading to a denial of service condition for the Keycloak server, thereby disrupting its availability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Red Hat build of Keycloak 26.2 26.2.15-1

Red Hat build of Keycloak 26.2 26.2-18

Red Hat build of Keycloak 26.2 26.2-18

References

https://access.redhat.com/errata/RHSA-2026:6475
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6476
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6477
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Slvrqn for reporting this issue.
JSON
.