CVE-2026-9801
MediumCVSS 4.9Exploitation Probability (EPSS)
Low risk38th percentile - higher than 38% of all known CVEs
Summary
A flaw was found in Keycloak where a remote attacker with high privileges (e.g., a realm administrator configuring a malicious LDAP server or an attacker compromising an upstream LDAP server) can trigger an OutOfMemoryError by sending a malformed LDAP password policy response during a password authentication request. This causes the Keycloak JVM to terminate, leading to a denial of service (DoS) for all realms on the affected node.
Risk Assessment
The risk is a complete shutdown of the Keycloak service for all realms on the affected node, preventing authentication and identity management, causing a major disruption to applications relying on this system.
Recommendation
It is recommended to immediately update Keycloak to a patched version and restrict trust for configured LDAP servers to trusted sources only. Also monitor logs for unusual memory errors.
Original NVD description (English source)
A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.

