Description
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.
Published: 2026-03-18
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access
Action: Patch now
AI Analysis

Impact

Keycloak's SAML broker endpoint fails to validate encrypted assertions when the overall SAML response is not signed. An attacker who already possesses a signed SAML assertion can forge a SAML response that includes a maliciously encrypted assertion for an arbitrary user. This allows the attacker to impersonate that user and access resources or data for which the user has privileges, potentially revealing sensitive information.

Affected Systems

The flaw affects Red Hat build of Keycloak versions 26.2, 26.2.14, 26.4, and 26.4.10. Customers using these builds on Red Hat Enterprise Linux 9 are at risk.

Risk and Exploitability

With a CVSS score of 7.7 and an EPSS of less than 1 %, the vulnerability is considered high severity but unlikely to be widely exploited at present. The CVE is not listed in the CISA KEV catalog. The exploit requires network access to the SAML broker endpoint and the ability to craft a signed but malformed SAML response, making the attack vector remote and feasible against publicly exposed Keycloak instances.

Generated by OpenCVE AI on April 16, 2026 at 02:44 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat Security Advisory RHSA‑2026:3925, RHSA‑2026:3926, RHSA‑2026:3947, or RHSA‑2026:3948 to update Keycloak to a patched version.
  • Configure Keycloak to require that all SAML responses be signed by the identity provider and reject unsigned or improperly signed responses.
  • Restrict network access to the Keycloak SAML broker endpoint, allowing only trusted identity providers to send assertions.

Generated by OpenCVE AI on April 16, 2026 at 02:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wmxr-6j5f-838p Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
History

Wed, 18 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.
Title keycloak-services: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions Keycloak-services: keycloak: unauthorized access via improper validation of encrypted saml assertions
References

Fri, 06 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title keycloak-services: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-1287
CPEs cpe:/a:redhat:build_keycloak:26.2::el9
cpe:/a:redhat:build_keycloak:26.4::el9
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L'}

threat_severity

Important

Subscriptions

Redhat Build Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-18T14:11:08.708Z

Reserved: 2026-02-06T10:28:15.411Z

Link: CVE-2026-2092

cve-icon Vulnrichment

Updated: 2026-03-18T14:11:03.636Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T02:16:24.577

Modified: 2026-03-18T14:52:44.227

Link: CVE-2026-2092

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-05T12:34:00Z

Links: CVE-2026-2092 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:45:06Z

Weaknesses