Denial of Service Vulnerability in Keycloak's ClientRegistrationAuth Component
CVE-2026-9803

5.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-9803?

A vulnerability exists in Keycloak's ClientRegistrationAuth component, where a remote unauthenticated attacker can exploit this flaw by sending a specially crafted POST request containing a malformed 'Authorization: Bearer' header to client registration endpoints. This exploitation can trigger an ArrayIndexOutOfBoundsException, leading to an HTTP 500 error response from the server. Consequently, this results in a Denial of Service condition for the affected service, disrupting its availability.

References

https://access.redhat.com/security/cve/CVE-2026-9803

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2482465

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
May 28, 2026

Credit

Red Hat would like to thank Mustafa Çetin for reporting this issue.

CVE-2026-9803 Data

JSON