Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 5 maven packages depend on org.keycloak:keycloak-saml-adapter-core (4 direct, 1 indirect)
- 33 maven packages depend on org.keycloak:keycloak-saml-core (8 direct, 25 indirect)
- 56 maven packages depend on org.keycloak:keycloak-services (27 direct, 29 indirect)
Ecosystem-wide dependent count for version 26.5.4 and other introduced versions.
DescriptionCVE.org
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.
AnalysisAI
Unauthenticated remote attackers can exhaust memory in Red Hat Build of Keycloak 26.4 and 26.4.10 by sending highly compressed SAML requests that bypass decompression size limits, triggering denial of service. The vulnerability affects SAML Redirect Binding implementations that fail to enforce resource constraints during DEFLATE decompression, allowing attackers to crash the application with OutOfMemoryError conditions. No patch is currently available.
Technical ContextAI
This vulnerability exploits the SAML 2.0 Redirect Binding protocol, which uses DEFLATE compression for XML payloads. Keycloak fails to enforce decompression bomb protections (CWE-409: Improper Restriction of Rendered UI Layers or Frames, which generalizes to unbounded resource consumption during decompression). When processing incoming SAMLRequest messages, the server decompresses the payload without size validation, allowing an attacker to send a small compressed payload that expands to extremely large sizes in memory, exhausting heap allocation and triggering OutOfMemoryError. The affected CPE identifiers include cpe:2.3:a:red_hat:red_hat_build_of_keycloak_26.4:*:*:*:*:*:*:*:* and specifically patch versions 26.4-12 and 26.4.10-1, confirming the issue spans multiple minor releases.
RemediationAI
Immediately upgrade Red Hat build of Keycloak to a patched version beyond 26.4.10-1, following the guidance in Red Hat advisories RHSA-2026:3947 and RHSA-2026:3948 available at https://access.redhat.com/errata/. As a temporary mitigation prior to patching, implement a reverse proxy or WAF rule that enforces maximum size limits on SAML requests before they reach Keycloak (set a reasonable upper bound such as 1 MB for SAMLRequest payloads to block decompression bombs), restrict SAML endpoint access to known IdP IP ranges if possible, and configure JVM memory monitoring with alerts for OutOfMemoryError conditions. Additionally, ensure heap memory limits are appropriately sized and monitored, and consider implementing request rate limiting on SAML endpoints to reduce the frequency of potential attacks during the patch window.
Keycloak contains an authentication bypass vulnerability in its SAML broker functionality that allows remote attackers w
Keycloak's SAML broker endpoint contains a validation flaw that allows attackers with a valid signed SAML assertion to i
Same technique Denial Of Service
View allVendor StatusVendor
Debian
Bug #1088287| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12766
GHSA-xv6h-r36f-3gp5