Build Of Keycloak
CVE-2026-3047
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 3 maven packages depend on org.keycloak:keycloak-broker-saml (1 direct, 2 indirect)
Ecosystem-wide dependent count for version 1.8.1.Final.
DescriptionCVE.org
A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.
AnalysisAI
Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowing attackers with valid credentials to establish authenticated sessions and access other enabled clients without re-authentication. An authenticated remote attacker can exploit this authentication bypass to gain unauthorized access to protected resources across the Keycloak ecosystem. No patch is currently available.
Technical ContextAI
A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in Build Of Keycloak
View allA misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploita
Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of
Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowin
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS
A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across
A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Ra
Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or mana
Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse th
Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows administrative users with the manag
A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no
An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely e
A flaw was found in Keycloak. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentic
Same weakness CWE-305 – Authentication Bypass by Primary Weakness
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-8cr3-vpxx-92cx