Skip to main content

Red Hat Build Of Keycloak 26 2 CVE-2026-2092

| EUVDEUVD-2026-12688 HIGH
Improper Validation of Specified Type of Input (CWE-1287)
7.7
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.7 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Red Hat
7.7 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 01:30 euvd
EUVD-2026-12688
Analysis Generated
Mar 18, 2026 - 01:30 vuln.today
CVE Published
Mar 18, 2026 - 01:14 nvd
HIGH 7.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 maven packages depend on org.keycloak:keycloak-saml-adapter-core (4 direct, 1 indirect)
  • 29 maven packages depend on org.keycloak:keycloak-saml-core (8 direct, 21 indirect)
  • 50 maven packages depend on org.keycloak:keycloak-services (22 direct, 28 indirect)

Ecosystem-wide dependent count for version 26.3.0 and other introduced versions.

DescriptionCVE.org

A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.

AnalysisAI

Keycloak's SAML broker endpoint contains a validation flaw that allows attackers with a valid signed SAML assertion to inject encrypted assertions for arbitrary principals when the overall SAML response is unsigned. This leads to authentication bypass and unauthorized access to protected resources. Red Hat build of Keycloak versions 26.2 and 26.4 are affected, with patches available in versions 26.2-16, 26.2.14-1, 26.4-12, and 26.4.10-1. No evidence of active exploitation (not in CISA KEV) has been reported.

Technical ContextAI

This vulnerability affects Keycloak's implementation of SAML (Security Assertion Markup Language) identity brokering, specifically in the validation logic for encrypted assertions within SAML responses. The affected products include Red Hat build of Keycloak 26.2 (including 26.2.14) and 26.4 (including 26.4.10) as identified by CPE strings cpe:2.3:a:red_hat:red_hat_build_of_keycloak_26.2 and cpe:2.3:a:red_hat:red_hat_build_of_keycloak_26.4. The root cause falls under CWE-1287 (Improper Validation of Specified Type of Input), where the endpoint fails to properly validate encrypted SAML assertions when the overall response envelope lacks a signature. SAML brokers are used in federated identity scenarios where Keycloak acts as a service provider accepting assertions from external identity providers. The validation weakness allows manipulation of the encryption layer to substitute principal identities even when the original assertion is properly signed.

RemediationAI

Apply the patches provided by Red Hat for the affected Keycloak versions: upgrade to version 26.2-16 or 26.2.14-1 for the 26.2 branch, or version 26.4-12 or 26.4.10-1 for the 26.4 branch. Detailed patching instructions are available in Red Hat Security Advisories RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947, and RHSA-2026:3948 at https://access.redhat.com/errata/. As an interim workaround until patching is completed, organizations should review and restrict SAML broker configurations to only trust well-validated identity providers, implement additional authentication factors for sensitive operations, and monitor authentication logs for anomalous principal assertions or unusual federated login patterns. Consider temporarily disabling SAML brokering for non-critical identity providers if feasible during the patching window.

Vendor StatusVendor

Debian

Bug #1088287
keycloak
Release Status Fixed Version Urgency
open - -

Share

CVE-2026-2092 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy