A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.
{
"github_reviewed_at": "2026-07-01T21:26:22Z",
"nvd_published_at": "2026-05-28T06:16:29Z",
"github_reviewed": true,
"cwe_ids": [
"CWE-305"
],
"severity": "MODERATE"
}