Description
A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.
Published: 2026-03-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass allowing unauthorized SSO session and access to enabled clients
Action: Patch ASAP
AI Analysis

Impact

A flaw in the SAML broker component of Keycloak allows a disabled SAML client that is configured as an IdP‑initiated broker landing target to complete the authentication flow, resulting in the creation of a valid Single Sign‑On session. The flaw permits a remote attacker to bypass the usual authentication checks, thereby gaining unauthorized access to any enabled clients associated with the same realm without re‑authentication. This represents an authentication bypass (CWE‑305) that can compromise confidentiality and integrity of protected resources.

Affected Systems

Red Hat builds of Keycloak are affected, including versions 26.2, 26.2.14, 26.4, and 26.4.10. Users deploying these releases should verify whether they have disabled SAML clients that are still referenced as broker landing targets in their realm configuration.

Risk and Exploitability

The vulnerability carries a CVSS 8.8 score, indicating high severity, but the EPSS score is below 1 %, suggesting a low probability of exploitation. It is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by leveraging the IdP‑initiated SAML flow; the condition requires a disabled client to be incorrectly mapped as a broker landing target, a configuration mistake that provides an opportunity to gain unauthorized SSO access.

Generated by OpenCVE AI on April 16, 2026 at 12:15 UTC.

Remediation

Vendor Workaround

To mitigate this issue, ensure that any SAML client intended to be disabled is not configured as an IdP-initiated broker landing target within Keycloak. Review your Keycloak realm configurations to identify and remove any such associations for disabled clients.

OpenCVE Recommended Actions

  • Upgrade Red Hat Keycloak to a release that includes the fix (for example, adopt the latest patch from RHSA-2026:3925, RHSA-2026:3948, or later).
  • Audit each realm to ensure that any SAML client marked as disabled is not configured as an IdP‑initiated broker landing target; remove such associations.
  • Re‑configure or delete any disabled SAML clients that are incorrectly referenced as broker landing targets and verify that the broker configuration no longer allows the disabled client to complete the login flow.

Generated by OpenCVE AI on April 16, 2026 at 12:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8cr3-vpxx-92cx Keycloak SAML Broken has Authentication Bypass by Primary Weakness
History

Thu, 26 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Redhat keycloak
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.2.14:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.4.10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*
Vendors & Products Redhat build Of Keycloak
Redhat keycloak

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Red Hat
Red Hat red Hat Build Of Keycloak 26.2
Red Hat red Hat Build Of Keycloak 26.2.14
Red Hat red Hat Build Of Keycloak 26.4
Red Hat red Hat Build Of Keycloak 26.4.10
Vendors & Products Red Hat
Red Hat red Hat Build Of Keycloak 26.2
Red Hat red Hat Build Of Keycloak 26.2.14
Red Hat red Hat Build Of Keycloak 26.4
Red Hat red Hat Build Of Keycloak 26.4.10

Fri, 06 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 05 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:26.2::el9
References

Thu, 05 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Thu, 05 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.
Title Org.keycloak.broker.saml: keycloak saml broker: authentication bypass due to disabled saml client completing idp-initiated login
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-305
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Red Hat Red Hat Build Of Keycloak 26.2 Red Hat Build Of Keycloak 26.2.14 Red Hat Build Of Keycloak 26.4 Red Hat Build Of Keycloak 26.4.10
Redhat Build Keycloak Build Of Keycloak Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-06T18:13:14.612Z

Reserved: 2026-02-23T17:30:53.926Z

Link: CVE-2026-3047

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T19:16:18.383

Modified: 2026-03-26T14:20:02.470

Link: CVE-2026-3047

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-05T11:24:00Z

Links: CVE-2026-3047 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:30:06Z

Weaknesses