CVE Catalog

CVE-2026-9803

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

33th percentile - higher than 33% of all known CVEs

Summary

A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.

Risk Assessment

An attacker can cause the Keycloak service to become unavailable, preventing users from registering clients and potentially disrupting systems that depend on this functionality.

Recommendation

It is recommended to immediately apply patches provided by the vendor and temporarily restrict access to client registration endpoints to trusted IP addresses only.

Original NVD description (English source)

A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS