{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-4634/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4634"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-4634","denial-of-service","keycloak"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4634 describes a denial-of-service vulnerability affecting Keycloak servers. This vulnerability allows an unauthenticated attacker to exhaust server resources by sending a specially crafted HTTP POST request to the OpenID Connect (OIDC) token endpoint. The malicious request includes an excessively long scope parameter, which forces the Keycloak server to consume significant processing time and memory. This can result in prolonged processing times for legitimate requests and ultimately a denial of service for all users of the affected Keycloak instance. The vulnerability was reported on April 2, 2026, and affects unpatched versions of Keycloak. Defenders should prioritize patching and consider implementing rate limiting to mitigate the impact of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Keycloak instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request targeted at the OIDC token endpoint (e.g., \u003ccode\u003e/auth/realms/{realm-name}/protocol/openid-connect/token\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker includes a \u003ccode\u003escope\u003c/code\u003e parameter in the POST request.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the value of the \u003ccode\u003escope\u003c/code\u003e parameter to an extremely long string, causing the Keycloak server to allocate excessive resources when processing it.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious POST request to the Keycloak server.\u003c/li\u003e\n\u003cli\u003eThe Keycloak server attempts to process the excessively long \u003ccode\u003escope\u003c/code\u003e parameter, consuming CPU and memory resources.\u003c/li\u003e\n\u003cli\u003eRepeated requests from the attacker further exhaust server resources.\u003c/li\u003e\n\u003cli\u003eThe Keycloak server becomes unresponsive, leading to a denial of service for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4634 results in a denial-of-service condition, rendering the Keycloak server unavailable. This impacts all applications and services relying on Keycloak for authentication and authorization. The number of affected users depends on the size and criticality of the Keycloak deployment. Organizations in any sector using Keycloak are potentially vulnerable. Unavailability can disrupt business operations, impacting productivity and revenue.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch released by Red Hat/Keycloak to address CVE-2026-4634 to eliminate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the OIDC token endpoint to restrict the number of requests from a single IP address within a given timeframe.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the OIDC token endpoint with unusually long \u003ccode\u003escope\u003c/code\u003e parameters to detect potential exploitation attempts and deploy the Sigma rule \u003ccode\u003eDetect Suspiciously Long Scope Parameter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eConsider deploying a web application firewall (WAF) rule to block requests with excessively long scope parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:16:27Z","date_published":"2026-04-02T13:16:27Z","id":"/briefs/2026-04-keycloak-dos/","summary":"An unauthenticated attacker can cause a denial-of-service on Keycloak servers by sending a crafted POST request to the OIDC token endpoint with an excessively long scope parameter, leading to high resource consumption.","title":"Keycloak Denial-of-Service Vulnerability via Excessive Scope Parameter (CVE-2026-4634)","url":"https://feed.craftedsignal.io/briefs/2026-04-keycloak-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-4634","version":"https://jsonfeed.org/version/1.1"}