CVE-2026-9801— Keycloak: keycloak: denial of service via malformed ldap password policy response
Possible ATT&CK Techniques 1AI
T1499 · Endpoint Denial of ServiceAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Build of Keycloak | any | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9801
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Keycloak: keycloak: denial of service via malformed ldap password policy response
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1284
Source: NVD (National Vulnerability Database)
Vulnerability Title
Keycloak 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在安全漏洞,该漏洞源于具有高权限的远程攻击者(如配置恶意LDAP服务器的领域管理员或攻击者破坏上游LDAP服务器)可通过在密码身份验证请求期间发送格式错误的LDAP密码策略响应,触发OutOfMemoryError,可能导致Keycloak Java虚拟机终止,从而导致受影响节点上所有领域的拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat Build of Keycloak | - | cpe:/a:redhat:build_keycloak: |
II. Public POCs for CVE-2026-9801
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9801
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-9801 (1)
Other References for CVE-2026-9801 (1)
Same Patch Batch · Red Hat · 2026-05-28 · 14 CVEs total
| CVE-2026-4408 | 9.0 CRITICAL | Samba: remote code execution in samr |
| CVE-2026-9804 | 7.7 HIGH | Kubevirt: kubevirt: vmexport directory symlink escape enables exporter pod file read |
| CVE-2026-9795 | 7.3 HIGH | Keycloak: keycloak: privilege escalation via improper scope mapping enforcement |
| CVE-2026-44604 | 7.0 HIGH | Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level director |
| CVE-2026-9802 | 6.8 MEDIUM | Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster |
| CVE-2026-9792 | 6.5 MEDIUM | Keycloak: keycloak: security restriction bypass allows unauthorized ropc token acquisition |
| CVE-2026-9796 | 6.5 MEDIUM | Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnera |
| CVE-2026-9793 | 5.9 MEDIUM | Keycloak: keycloak: security policy bypass in jwe-encrypted request object processing |
| CVE-2026-9794 | 5.3 MEDIUM | Keycloak: keycloak: information disclosure via saml ecp endpoint |
| CVE-2026-9803 | 5.3 MEDIUM | Keycloak: keycloak: denial of service via malformed authorization header |
| CVE-2026-9791 | 4.3 MEDIUM | Keycloak-rhel9: organization data leak after feature disabled in keycloak |
| CVE-2026-9798 | 4.3 MEDIUM | Keycloak: keycloak: brute-force protection bypass in ciba flow |
| CVE-2026-10028 | 4.3 MEDIUM | Glib-networking: infinite loop in glib-networking gnutls backend allows remote denial of s |
IV. Related Vulnerabilities
Same product: Red Hat Build of Keycloak
- CVE-2026-9802
Keycloak: keycloak: unauthorized account access via replayed - CVE-2026-9803
Keycloak: keycloak: denial of service via malformed authoriz - CVE-2026-9798
Keycloak: keycloak: brute-force protection bypass in ciba fl - CVE-2026-9796
Keycloak: keycloak: privilege escalation via time-of-check t - CVE-2026-9795
Keycloak: keycloak: privilege escalation via improper scope
Same vendor: Red Hat
- CVE-2026-1784
Ose-cluster-ingress-operator: remote code execution through - CVE-2026-5419
Guntls: gnutls: information disclosure via timing side-chann - CVE-2026-43958
Rrdtool: rrdtool: stack buffer overflow allows local code ex - CVE-2026-10118
Poppler: integer overflow in poppler splashoutputdev::tiling - CVE-2026-10533
Openshift: openshift: non-admin user can bypass resourcequot
Same weakness: CWE-1284
- CVE-2026-47329
Incorrect validation of field size in Ubuntu Linux AppArmor - CVE-2026-7254
Open BMC Denial of Service - CVE-2026-9704
Keycloak: keycloak: privilege escalation due to oversized su - CVE-2026-3676
There are multiple vulnerabilities in IBM DB2 bundled with I - CVE-2026-42744
WordPress Ads by WPQuads plugin <= 3.0.2 - Bypass Vulnerabil
V. Comments for CVE-2026-9801
No comments yet