CVE-2024-4629 MEDIUM

CVE-2024-4629: Keycloak: potential bypass of brute force protection

Vendor Red Hat
Product Red Hat Build of Keycloak
Weakness CWE-837
Published September 3, 2024
Last update March 26, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Key dates

02Disclosure timeline

September 3, 2024 CVE published
March 26, 2026 Record updated