Description

A flaw was found in Keycloak's client registration endpoint authentication handling. The authorization header parsing code does not validate the array length after splitting the header value, causing an ArrayIndexOutOfBoundsException when a malformed Authorization header is submitted with no token value. CVE-2026-0707 fixed the same pattern in a related class but missed this code path, leaving the client registration endpoints exposed to a pre-authenticated denial of service. All three client registration endpoint types are affected.

Version affected

All versions up to and including latest (incomplete fix from CVE-2026-0707).

Expected behavior

The client registration endpoint should handle malformed Authorization headers gracefully and return an appropriate HTTP error response without throwing an unhandled exception.

Actual behavior

A malformed Authorization header causes an unhandled ArrayIndexOutOfBoundsException, resulting in an HTTP 500 Internal Server Error.

Steps to reproduce

1. Send a request to any client registration endpoint with a malformed Authorization header containing no token value.
2. Observe that Keycloak returns HTTP 500 Internal Server Error.

This issue was originally tracked in the private repository. Migrated by @abstractj.