Keycloak Brute-Force Protection Bypass Vulnerability in Client-Initiated Backchannel Authentication Flow

A vulnerability exists in Keycloak, an open-source identity and access management solution, allowing an attacker with valid client credentials to bypass brute-force protection on locked user accounts. This exploitation occurs within the Client-Initiated Backchannel Authentication (CIBA) flow, enabling continued authentication attempts and token issuance, potentially leading to unauthorized access. The issue arises when an account is temporarily locked due to repeated failed login attempts, allowing attackers to exploit the situation and bypass the intended security measures.

Impact

Exploitation of this vulnerability allows for authentication attempts to be made on locked user accounts, bypassing the account lockout mechanism. This could lead to unauthorized access if the attacker successfully authenticates.

Remediation

To address this vulnerability, ensure that Client-Initiated Backchannel Authentication (CIBA) is not enabled in Keycloak realms unless explicitly required. If CIBA is enabled, consider disabling it to prevent bypassing brute-force protection mechanisms. Consult the Keycloak documentation for instructions on managing CIBA configuration.