Bug 2501736 (CVE-2026-16103) - CVE-2026-16103 keycloak-services: keycloak-services: Incomplete fix for CIBA brute-force lockout bypass at token redemption
Summary: CVE-2026-16103 keycloak-services: keycloak-services: Incomplete fix for CIBA ...
Keywords:
Status: NEW
Alias: CVE-2026-16103
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-17 14:47 UTC by OSIDB Bzimport
Modified: 2026-07-17 14:48 UTC (History)
28 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-17 14:47:20 UTC
The vulnerability is a protection mechanism failure resulting from an incomplete fix for CVE-2026-9798. The original mitigation added a BruteForceProtector check to the CIBA initiation handler in BackchannelAuthenticationEndpoint.java but did not implement a corresponding check in the CIBA token redemption handler (CibaGrantType.java).
Exploitation requires the following conditions:
The attacker must possess valid client credentials for a CIBA-enabled client.

A CIBA authentication request must be initiated while the target account is still unlocked.

The target account must then be driven into a temporary brute-force lockout state.

The legitimate account owner must approve the pending CIBA request on their authentication device.

The attacker redeems the pre-lockout auth_req_id at the token endpoint within the CIBA expiry window.


Successful exploitation allows an attacker to receive valid access and refresh tokens for a locked account, bypassing the intended brute-force protection policy.


Note You need to log in before you can comment on or make changes to this bug.