CVE-2026-9801

4.9 MEDIUM

A flaw was found in Keycloak

Published: 2026-05-28 · Last updated: 2026-06-10

Severity and scoring

CVSS: 4.9 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1284

Affected products

Vendor	Product
redhat	build_of_keycloak

Description

A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9801
[Other]https://access.redhat.com/errata/RHSA-2026:25097
[Other]https://access.redhat.com/errata/RHSA-2026:25098
[Vendor advisory]https://access.redhat.com/security/cve/CVE-2026-9801
[Vendor advisory]https://bugzilla.redhat.com/show_bug.cgi?id=2482473

Related CVEs

Same vendor

CVE-2026-50259 — A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland (7.8 HIGH)
CVE-2026-50258 — A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland (7.8 HIGH)
CVE-2026-50257 — A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence() (7.8 HIGH)
CVE-2026-50256 — A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland (7.8 HIGH)
CVE-2026-1784 — The Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy (8.8 HIGH)

Same CWE

CVE-2026-11596 — In ScreenConnect™ versions prior to 26.2, input validation within the Host Pass creation functionality could allow an authenticated user ... (4.7 MEDIUM)
CVE-2026-53689 — libnfs through 6.0.2 before 55c18ea does not validate a string size, leading to an integer overflow during a connection to a crafted NFS ... (7.1 HIGH)
CVE-2026-49777 — Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious... (10.0 CRITICAL)
CVE-2026-47329 — Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification respo... (3.3 LOW)
CVE-2026-44635 — Kysely is a type-safe TypeScript SQL query builder (7.5 HIGH)