Description
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.
Published: 2026-03-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (application level)
Action: Apply Update
AI Analysis

Impact

A flaw in Red Hat’s Keycloak 26.4 build allows an unauthenticated remote attacker to trigger an application‑level denial of service by sending a highly compressed SAMLRequest via the SAML Redirect Binding. The server does not enforce size limits during DEFLATE decompression, which can cause an OutOfMemoryError that terminates the process and brings the service down. The vulnerability’s primary impact is availability loss; confidentiality and integrity remain unaffected.

Affected Systems

Red Hat enterprise builds of Keycloak 26.4 and 26.4.10 running on Red Hat Enterprise Linux 9 are affected.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a remote, unauthenticated attacker who crafts an overly compressed SAMLRequest that reaches the Keycloak redirect endpoint; server‑side decompression fails, an OOM error occurs, and the service process exits, resulting in denial of service.

Generated by OpenCVE AI on April 16, 2026 at 02:43 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat security erratum RHSA‑2026:3947 or RHSA‑2026:3948 to update Keycloak and patch the decompression size‑limit check.
  • Configure an upstream proxy or load balancer to reject heavily compressed requests or to enforce a maximum payload size before requests reach Keycloak.
  • Enable automatic process monitoring or a health‑check mechanism so that the Keycloak service restarts promptly after an OutOfMemoryError, minimizing downtime.

Generated by OpenCVE AI on April 16, 2026 at 02:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xv6h-r36f-3gp5 Keycloak: Denial of Service due to excessive SAMLRequest decompression
History

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.
Title keycloak: Keycloak: Denial of Service due to excessive SAMLRequest decompression Keycloak: keycloak: denial of service due to excessive samlrequest decompression
First Time appeared Redhat
Redhat build Keycloak
CPEs cpe:/a:redhat:build_keycloak:26.4::el9
Vendors & Products Redhat
Redhat build Keycloak
References

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Keycloak
Keycloak keycloak
Vendors & Products Keycloak
Keycloak keycloak

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title keycloak: Keycloak: Denial of Service due to excessive SAMLRequest decompression
Weaknesses CWE-409
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Subscriptions

Keycloak Keycloak
Redhat Build Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-18T13:34:42.871Z

Reserved: 2026-02-16T08:39:17.943Z

Link: CVE-2026-2575

cve-icon Vulnrichment

Updated: 2026-03-18T13:34:39.242Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T04:17:16.783

Modified: 2026-03-18T14:52:44.227

Link: CVE-2026-2575

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-16T08:08:00Z

Links: CVE-2026-2575 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:45:06Z

Weaknesses