Skip to main content

Red Hat Build Of Keycloak 26 4 CVE-2026-2575

| EUVDEUVD-2026-12766 MEDIUM
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-03-18 redhat GHSA-xv6h-r36f-3gp5
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 04:30 euvd
EUVD-2026-12766
Analysis Generated
Mar 18, 2026 - 04:30 vuln.today
CVE Published
Mar 18, 2026 - 03:19 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 maven packages depend on org.keycloak:keycloak-saml-adapter-core (4 direct, 1 indirect)
  • 33 maven packages depend on org.keycloak:keycloak-saml-core (8 direct, 25 indirect)
  • 56 maven packages depend on org.keycloak:keycloak-services (27 direct, 29 indirect)

Ecosystem-wide dependent count for version 26.5.4 and other introduced versions.

DescriptionCVE.org

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.

AnalysisAI

Unauthenticated remote attackers can exhaust memory in Red Hat Build of Keycloak 26.4 and 26.4.10 by sending highly compressed SAML requests that bypass decompression size limits, triggering denial of service. The vulnerability affects SAML Redirect Binding implementations that fail to enforce resource constraints during DEFLATE decompression, allowing attackers to crash the application with OutOfMemoryError conditions. No patch is currently available.

Technical ContextAI

This vulnerability exploits the SAML 2.0 Redirect Binding protocol, which uses DEFLATE compression for XML payloads. Keycloak fails to enforce decompression bomb protections (CWE-409: Improper Restriction of Rendered UI Layers or Frames, which generalizes to unbounded resource consumption during decompression). When processing incoming SAMLRequest messages, the server decompresses the payload without size validation, allowing an attacker to send a small compressed payload that expands to extremely large sizes in memory, exhausting heap allocation and triggering OutOfMemoryError. The affected CPE identifiers include cpe:2.3:a:red_hat:red_hat_build_of_keycloak_26.4:*:*:*:*:*:*:*:* and specifically patch versions 26.4-12 and 26.4.10-1, confirming the issue spans multiple minor releases.

RemediationAI

Immediately upgrade Red Hat build of Keycloak to a patched version beyond 26.4.10-1, following the guidance in Red Hat advisories RHSA-2026:3947 and RHSA-2026:3948 available at https://access.redhat.com/errata/. As a temporary mitigation prior to patching, implement a reverse proxy or WAF rule that enforces maximum size limits on SAML requests before they reach Keycloak (set a reasonable upper bound such as 1 MB for SAMLRequest payloads to block decompression bombs), restrict SAML endpoint access to known IdP IP ranges if possible, and configure JVM memory monitoring with alerts for OutOfMemoryError conditions. Additionally, ensure heap memory limits are appropriately sized and monitored, and consider implementing request rate limiting on SAML endpoints to reduce the frequency of potential attacks during the patch window.

Vendor StatusVendor

Debian

Bug #1088287
keycloak
Release Status Fixed Version Urgency
open - -

Share

CVE-2026-2575 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy