Fedora Account System
Red Hat Associate
Red Hat Customer
The vulnerability is a protection mechanism failure resulting from an incomplete fix for CVE-2026-9798. The original mitigation added a BruteForceProtector check to the CIBA initiation handler in BackchannelAuthenticationEndpoint.java but did not implement a corresponding check in the CIBA token redemption handler (CibaGrantType.java). Exploitation requires the following conditions: The attacker must possess valid client credentials for a CIBA-enabled client. A CIBA authentication request must be initiated while the target account is still unlocked. The target account must then be driven into a temporary brute-force lockout state. The legitimate account owner must approve the pending CIBA request on their authentication device. The attacker redeems the pre-lockout auth_req_id at the token endpoint within the CIBA expiry window. Successful exploitation allows an attacker to receive valid access and refresh tokens for a locked account, bypassing the intended brute-force protection policy.