Skip to main content

Red Hat Build Of Keycloak 26 2 CVE-2026-2603

| EUVDEUVD-2026-12690 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-03-18 redhat GHSA-x4p7-7chp-64hq
8.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 08:30 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 01:30 euvd
EUVD-2026-12690
Analysis Generated
Mar 18, 2026 - 01:30 vuln.today
CVE Published
Mar 18, 2026 - 01:14 nvd
HIGH 8.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 53 maven packages depend on org.keycloak:keycloak-server-spi-private (22 direct, 31 indirect)
  • 43 maven packages depend on org.keycloak:keycloak-services (15 direct, 28 indirect)

Ecosystem-wide dependent count for version 26.5.5 and other introduced versions.

DescriptionCVE.org

A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.

AnalysisAI

Keycloak contains an authentication bypass vulnerability in its SAML broker functionality that allows remote attackers with low-level privileges to complete IdP-initiated broker logins even when the SAML Identity Provider has been administratively disabled. Red Hat Build of Keycloak versions 26.2 and 26.4 are affected, with patches available in versions 26.2-16, 26.2.14-1, 26.4-12, and 26.4.10-1. The CVSS score of 8.1 reflects high confidentiality and integrity impact, though no evidence of active exploitation (KEV) or public proof-of-concept has been reported at this time.

Technical ContextAI

This vulnerability affects the SAML (Security Assertion Markup Language) broker implementation in Keycloak, Red Hat's open-source identity and access management solution. The flaw stems from CWE-306 (Missing Authentication for Critical Function), where the SAML endpoint processing IdP-initiated broker logins fails to properly validate whether the configured Identity Provider is enabled before accepting authentication assertions. Affected products include Red Hat Build of Keycloak 26.2 (CPE: cpe:2.3:a:red_hat:red_hat_build_of_keycloak_26.2) and 26.4 (CPE: cpe:2.3:a:red_hat:red_hat_build_of_keycloak_26.4). The vulnerability exists in the broker login flow where external IdPs send SAML responses to Keycloak's SAML endpoint, and the system processes these responses without checking the administrative state of the IdP configuration.

RemediationAI

Immediately upgrade to patched versions of Red Hat Build of Keycloak: version 26.2-16 or 26.2.14-1 for the 26.2 series, or version 26.4-12 or 26.4.10-1 for the 26.4 series, as detailed in Red Hat security advisories RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947, and RHSA-2026:3948 (see https://access.redhat.com/errata/). Until patching is completed, implement network-level access controls to restrict the Keycloak SAML endpoint to trusted IP ranges only, audit all SAML IdP configurations to verify enabled/disabled states match security policies, and monitor authentication logs for unexpected IdP-initiated logins from disabled providers. As an additional interim control, consider removing or invalidating SAML metadata for disabled IdPs from the Keycloak configuration to prevent acceptance of assertions from those sources. Review all recent authentication events to identify potential exploitation attempts where disabled IdPs successfully authenticated users.

Vendor StatusVendor

Debian

Bug #1088287
keycloak
Release Status Fixed Version Urgency
open - -

Share

CVE-2026-2603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy