CVE-2026-9803
5.3 MEDIUMA flaw was found in Keycloak's ClientRegistrationAuth component
Published: 2026-05-28 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- CWE
- CWE-125
Affected products
| Vendor | Product |
|---|---|
| redhat | build_of_keycloak |
Description
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-11793 — A stack buffer overflow flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11790 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11789 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11788 — A flaw was found in 389 Directory Server (5.9 MEDIUM)
- CVE-2026-11787 — A flaw was found in 389 Directory Server (5.0 MEDIUM)
Same CWE
- CVE-2026-1765 — A flaw was found in the `tracker-extract-mp3` component of GNOME localsearch (previously known as tracker-miners) (5.6 MEDIUM)
- CVE-2026-1764 — A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor (5.6 MEDIUM)
- CVE-2026-12087 — Socket versions before 2.041 for Perl have an out-of-bounds heap read
- CVE-2026-53704 — A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package (7.1 HIGH)
- CVE-2026-53703 — A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly) (7.1 HIGH)