CVE-2026-3047

Summary

A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat build of Keycloak 26.226.2.14-1 < *unaffected
Red HatRed Hat build of Keycloak 26.226.2-16 < *unaffected
Red HatRed Hat build of Keycloak 26.226.2-16 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4.10-1 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-12 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-12 < *unaffected

Weaknesses

  • CWE-305: Authentication Bypass by Primary Weakness

Workarounds

To mitigate this issue, ensure that any SAML client intended to be disabled is not configured as an IdP-initiated broker landing target within Keycloak. Review your Keycloak realm configurations to identify and remove any such associations for disabled clients.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

org.keycloak.broker.saml: Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login

Additional References

References