Platform
java
Component
org.keycloak:keycloak-services
Fixed in
26.5.7
CVE-2026-4634 describes a Denial of Service (DoS) vulnerability discovered in Keycloak, a popular open-source Identity and Access Management solution. An unauthenticated attacker can exploit this flaw by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint, leading to resource exhaustion and service disruption. This vulnerability impacts Keycloak versions up to 9.0.3, and a fix is available in version 26.5.7.
The primary impact of CVE-2026-4634 is a Denial of Service (DoS). A successful exploit allows an attacker to overwhelm the Keycloak server with requests, consuming significant CPU and memory resources. This can lead to prolonged processing times for legitimate users, application timeouts, and ultimately, the unavailability of the Keycloak service. The attack's simplicity and the lack of authentication requirements make it relatively easy to execute, potentially impacting a wide range of applications relying on Keycloak for authentication and authorization. The prolonged processing times can also impact downstream services dependent on Keycloak, creating a cascading failure scenario. While data confidentiality and integrity are not directly compromised, the disruption of service can have significant operational and business consequences.
CVE-2026-4634 was publicly disclosed on 2026-04-02. Its severity is rated HIGH (CVSS 7.5). There is currently no indication of active exploitation in the wild, but the ease of exploitation and the lack of authentication requirements suggest a potential for opportunistic attacks. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature makes it likely that PoCs will emerge.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4634 is to upgrade Keycloak to version 26.5.7 or later, which includes the fix for this vulnerability. If immediate upgrading is not possible, consider implementing rate limiting on the OIDC token endpoint to restrict the number of requests from a single source within a given timeframe. Web Application Firewalls (WAFs) can be configured to detect and block requests with excessively long scope parameters. Monitor Keycloak server resource utilization (CPU, memory) for unusual spikes, which could indicate an ongoing attack. After upgrading, confirm the fix by attempting to send a crafted POST request with a long scope parameter to the OIDC token endpoint and verifying that the server does not experience resource exhaustion or prolonged processing times.
Update Keycloak to a version later than the affected versions. Consult Red Hat security advisories (RHSA-2026:6475, RHSA-2026:6476, RHSA-2026:6477) for the specific corrected version for your installation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4634 is a Denial of Service vulnerability in Keycloak where a crafted request can exhaust server resources, leading to service disruption. It affects versions up to 9.0.3.
Yes, if you are running Keycloak versions 9.0.3 or earlier, you are vulnerable to this DoS attack. Upgrade to 26.5.7 or later to mitigate the risk.
Upgrade Keycloak to version 26.5.7 or later. As a temporary workaround, implement rate limiting and WAF rules to restrict malicious requests.
There is currently no confirmed evidence of active exploitation in the wild, but the vulnerability's ease of exploitation warrants caution.
Refer to the official Keycloak security advisory for detailed information and updates: [https://www.keycloak.org/security/advisories](https://www.keycloak.org/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.