CVE-2026-2603

Summary

A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat build of Keycloak 26.226.2.14-1 < *unaffected
Red HatRed Hat build of Keycloak 26.226.2-16 < *unaffected
Red HatRed Hat build of Keycloak 26.226.2-16 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4.10-1 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-12 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-12 < *unaffected

Weaknesses

  • CWE-306: Missing Authentication for Critical Function

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

keycloak: Keycloak: Unauthorized authentication via disabled SAML Identity Provider

Additional References

References