{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-9801", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-05-28T04:00:46.722Z", "datePublished": "2026-05-28T04:42:10.331Z", "dateUpdated": "2026-05-28T04:42:10.331Z"}, "containers": {"cna": {"title": "Keycloak: keycloak: denial of service via malformed ldap password policy response", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-9801", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482473", "name": "RHBZ#2482473", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-05-28T04:18:25.872Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-1284", "description": "Improper Validation of Specified Quantity in Input", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-1284: Improper Validation of Specified Quantity in Input", "workarounds": [{"lang": "en", "value": "To mitigate this vulnerability, ensure that Keycloak's LDAP user-storage providers are configured to connect only to trusted and secure LDAP servers. Avoid configuring LDAP federation with unverified or potentially malicious LDAP endpoints. Additionally, always use TLS for LDAP connections to prevent Man-in-the-Middle attacks. If an upstream LDAP server is compromised, it should be isolated and secured immediately."}], "timeline": [{"lang": "en", "time": "2026-05-28T04:00:39.339Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-05-28T04:18:25.872Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Seongkuk Park for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-05-28T04:42:10.331Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node."}], "id": "CVE-2026-9801", "lastModified": "2026-05-28T06:16:29.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-05-28T06:16:29.493", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-9801"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482473"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1284"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Seongkuk Park for reporting this issue.", "bugzilla": {"description": "keycloak: Keycloak: Denial of Service via malformed LDAP password policy response", "id": "2482473", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482473"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1284", "details": ["A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, ensure that Keycloak's LDAP user-storage providers are configured to connect only to trusted and secure LDAP servers. Avoid configuring LDAP federation with unverified or potentially malicious LDAP endpoints. Additionally, always use TLS for LDAP connections to prevent Man-in-the-Middle attacks. If an upstream LDAP server is compromised, it should be isolated and secured immediately."}, "name": "CVE-2026-9801", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "rhbk/keycloak-rhel9", "product_name": "Red Hat Build of Keycloak"}], "public_date": "2026-05-28T04:18:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-9801\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-9801"], "statement": "This vulnerability in Keycloak presents a denial-of-service risk when an LDAP user-storage provider is configured. A highly privileged attacker, such as a realm administrator or through a compromised LDAP connection, can send a malformed LDAP password-policy response. This triggers an OutOfMemoryError, causing the Keycloak JVM to terminate and resulting in a complete outage of the node.", "threat_severity": "Moderate"}