VDB
CVE-2026-4634
CVE-2026-4634
PUBLISHED
CVSS 7.5 HIGH
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.
EPSS 0.02% · 7.1th percentile
Risk Scores
CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.02%
7.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-14 |
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2-18 |
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2-18 |
| Red Hat | Red Hat build of Keycloak 26.2.15 | |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4.11-1 |
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2.15-1 |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-14 |
| Red Hat | Red Hat build of Keycloak 26.4.11 |
Timeline
- Apr 2, 2026 CVE Published
- Apr 2, 2026 PoC Published
- Apr 2, 2026 Distribution Patch
- Apr 2, 2026 Security Advisory
- Apr 2, 2026 Distribution Patch
- Apr 2, 2026 Security Advisory
- Apr 2, 2026 Distribution Patch
- Apr 2, 2026 Security Advisory
- Apr 2, 2026 Distribution Patch
- Apr 2, 2026 Security Advisory
- Apr 2, 2026 Security Advisory
- Apr 3, 2026 EPSS Score
References
- RHSA-2026:6475 vendor-advisory
- RHSA-2026:6476 vendor-advisory
- RHSA-2026:6477 vendor-advisory
- RHSA-2026:6478 vendor-advisory
- https://access.redhat.com/security/cve/CVE-2026-4634 vdb
- RHBZ#2450250 issue
- https://nvd.nist.gov/vuln/detail/CVE-2026-4634 advisory