Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 53 maven packages depend on org.keycloak:keycloak-server-spi-private (22 direct, 31 indirect)
- 43 maven packages depend on org.keycloak:keycloak-services (15 direct, 28 indirect)
Ecosystem-wide dependent count for version 26.5.5 and other introduced versions.
DescriptionCVE.org
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.
AnalysisAI
Keycloak contains an authentication bypass vulnerability in its SAML broker functionality that allows remote attackers with low-level privileges to complete IdP-initiated broker logins even when the SAML Identity Provider has been administratively disabled. Red Hat Build of Keycloak versions 26.2 and 26.4 are affected, with patches available in versions 26.2-16, 26.2.14-1, 26.4-12, and 26.4.10-1. The CVSS score of 8.1 reflects high confidentiality and integrity impact, though no evidence of active exploitation (KEV) or public proof-of-concept has been reported at this time.
Technical ContextAI
This vulnerability affects the SAML (Security Assertion Markup Language) broker implementation in Keycloak, Red Hat's open-source identity and access management solution. The flaw stems from CWE-306 (Missing Authentication for Critical Function), where the SAML endpoint processing IdP-initiated broker logins fails to properly validate whether the configured Identity Provider is enabled before accepting authentication assertions. Affected products include Red Hat Build of Keycloak 26.2 (CPE: cpe:2.3:a:red_hat:red_hat_build_of_keycloak_26.2) and 26.4 (CPE: cpe:2.3:a:red_hat:red_hat_build_of_keycloak_26.4). The vulnerability exists in the broker login flow where external IdPs send SAML responses to Keycloak's SAML endpoint, and the system processes these responses without checking the administrative state of the IdP configuration.
RemediationAI
Immediately upgrade to patched versions of Red Hat Build of Keycloak: version 26.2-16 or 26.2.14-1 for the 26.2 series, or version 26.4-12 or 26.4.10-1 for the 26.4 series, as detailed in Red Hat security advisories RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947, and RHSA-2026:3948 (see https://access.redhat.com/errata/). Until patching is completed, implement network-level access controls to restrict the Keycloak SAML endpoint to trusted IP ranges only, audit all SAML IdP configurations to verify enabled/disabled states match security policies, and monitor authentication logs for unexpected IdP-initiated logins from disabled providers. As an additional interim control, consider removing or invalidating SAML metadata for disabled IdPs from the Keycloak configuration to prevent acceptance of assertions from those sources. Review all recent authentication events to identify potential exploitation attempts where disabled IdPs successfully authenticated users.
Same technique Authentication Bypass
View allVendor StatusVendor
Debian
Bug #1088287| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12690
GHSA-x4p7-7chp-64hq