Description
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.
Published: 2026-01-26
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Extension of SAML Response Validity
Action: Patch Update
AI Analysis

Impact

Keycloak’s SAML brokering component does not validate the NotOnOrAfter attribute of the SubjectConfirmationData element. This omission allows an attacker to construct a SAML response that remains considered valid for longer than intended, extending session duration or forcing repeated authentication flows. The missing check can lead to unexpected resource consumption or prolonged unauthorized access if the broker accepts the stale assertion.

Affected Systems

Affected installations include Red Hat JBoss Enterprise Application Platform 8, Red Hat JBoss Enterprise Application Platform Expansion Pack, Red Hat Single Sign‑On 7, and the Red Hat build of Keycloak version 26.4 (including 26.4.10). These are the CVE’s CNA‑identified product versions.

Risk and Exploitability

The CVSS score of 3.1 indicates low overall severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation. This vulnerability is not listed in CISA’s known exploited vulnerabilities catalog. Attackers would need to target the SAML authentication path by injecting a crafted assertion with an inflated NotOnOrAfter timestamp; the exploitation requires access to the SAML broker configuration and the ability to supply the forged response.

Generated by OpenCVE AI on April 18, 2026 at 19:50 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Install the Red Hat errata RHSA-2026:3947 and RHSA-2026:3948 that add validation of the NotOnOrAfter timestamp in Keycloak’s SAML handler.
  • Restart the Keycloak services after applying the updates to ensure the new code is active.
  • Continuously monitor SAML assertion logs for abnormal or far‑future NotOnOrAfter values to detect any attempts to abuse the validation logic.

Generated by OpenCVE AI on April 18, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-63v5-26vq-m4vm Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods
History

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.
Title org.keycloak/keycloak-services: Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData Org.keycloak/keycloak-services: keycloak saml brokering: response delay due to unchecked notonorafter in subjectconfirmationdata
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
References

Tue, 20 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title org.keycloak/keycloak-services: Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData
Weaknesses CWE-112
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}

threat_severity

Low

Subscriptions

Redhat Build Keycloak Jboss Enterprise Application Platform Jbosseapxp Red Hat Single Sign On
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-06T03:31:19.967Z

Reserved: 2026-01-19T13:44:11.164Z

Link: CVE-2026-1190

cve-icon Vulnrichment

Updated: 2026-01-26T20:57:47.531Z

cve-icon NVD

Status : Deferred

Published: 2026-01-26T20:16:09.813

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1190

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-19T08:08:00Z

Links: CVE-2026-1190 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses