CVE-2026-9803
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk33th percentile - higher than 33% of all known CVEs
Summary
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.
Risk Assessment
An attacker can cause the Keycloak service to become unavailable, preventing users from registering clients and potentially disrupting systems that depend on this functionality.
Recommendation
It is recommended to immediately apply patches provided by the vendor and temporarily restrict access to client registration endpoints to trusted IP addresses only.
Original NVD description (English source)
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.

