Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 5 maven packages depend on org.keycloak:keycloak-saml-adapter-core (4 direct, 1 indirect)
- 29 maven packages depend on org.keycloak:keycloak-saml-core (8 direct, 21 indirect)
- 50 maven packages depend on org.keycloak:keycloak-services (22 direct, 28 indirect)
Ecosystem-wide dependent count for version 26.3.0 and other introduced versions.
DescriptionCVE.org
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.
AnalysisAI
Keycloak's SAML broker endpoint contains a validation flaw that allows attackers with a valid signed SAML assertion to inject encrypted assertions for arbitrary principals when the overall SAML response is unsigned. This leads to authentication bypass and unauthorized access to protected resources. Red Hat build of Keycloak versions 26.2 and 26.4 are affected, with patches available in versions 26.2-16, 26.2.14-1, 26.4-12, and 26.4.10-1. No evidence of active exploitation (not in CISA KEV) has been reported.
Technical ContextAI
This vulnerability affects Keycloak's implementation of SAML (Security Assertion Markup Language) identity brokering, specifically in the validation logic for encrypted assertions within SAML responses. The affected products include Red Hat build of Keycloak 26.2 (including 26.2.14) and 26.4 (including 26.4.10) as identified by CPE strings cpe:2.3:a:red_hat:red_hat_build_of_keycloak_26.2 and cpe:2.3:a:red_hat:red_hat_build_of_keycloak_26.4. The root cause falls under CWE-1287 (Improper Validation of Specified Type of Input), where the endpoint fails to properly validate encrypted SAML assertions when the overall response envelope lacks a signature. SAML brokers are used in federated identity scenarios where Keycloak acts as a service provider accepting assertions from external identity providers. The validation weakness allows manipulation of the encryption layer to substitute principal identities even when the original assertion is properly signed.
RemediationAI
Apply the patches provided by Red Hat for the affected Keycloak versions: upgrade to version 26.2-16 or 26.2.14-1 for the 26.2 branch, or version 26.4-12 or 26.4.10-1 for the 26.4 branch. Detailed patching instructions are available in Red Hat Security Advisories RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947, and RHSA-2026:3948 at https://access.redhat.com/errata/. As an interim workaround until patching is completed, organizations should review and restrict SAML broker configurations to only trust well-validated identity providers, implement additional authentication factors for sensitive operations, and monitor authentication logs for anomalous principal assertions or unusual federated login patterns. Consider temporarily disabling SAML brokering for non-critical identity providers if feasible during the patching window.
Same technique Information Disclosure
View allVendor StatusVendor
Debian
Bug #1088287| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12688
GHSA-794g-x443-36f7