{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3047", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-02-23T17:30:53.926Z", "datePublished": "2026-03-05T18:28:36.337Z", "dateUpdated": "2026-03-06T18:13:14.612Z"}, "containers": {"cna": {"title": "Org.keycloak.broker.saml: keycloak saml broker: authentication bypass due to disabled saml client completing idp-initiated login", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "26.2.14-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "26.2-16", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "26.2-16", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2.14", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "rhbk/keycloak-rhel9", "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "26.4.10-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "26.4-12", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "26.4-12", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4.10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "rhbk/keycloak-rhel9", "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:3925", "name": "RHSA-2026:3925", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:3926", "name": "RHSA-2026:3926", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:3947", "name": "RHSA-2026:3947", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:3948", "name": "RHSA-2026:3948", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-3047", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441966", "name": "RHBZ#2441966", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-03-05T11:24:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-305", "description": "Authentication Bypass by Primary Weakness", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-305: Authentication Bypass by Primary Weakness", "workarounds": [{"lang": "en", "value": "To mitigate this issue, ensure that any SAML client intended to be disabled is not configured as an IdP-initiated broker landing target within Keycloak. Review your Keycloak realm configurations to identify and remove any such associations for disabled clients."}], "timeline": [{"lang": "en", "time": "2026-02-23T17:29:50.192Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-03-05T11:24:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-03-06T02:36:29.782Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T18:13:06.967396Z", "id": "CVE-2026-3047", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:13:14.612Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "1830E455-7E11-4264-862D-05971A42D4A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.2:*:*:*:*:*:*:*", "matchCriteriaId": "DBB531B3-5BD6-41B4-882C-A42F611819B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.2.14:*:*:*:*:*:*:*", "matchCriteriaId": "56732D81-7096-40F3-A990-1C84E2D984F2", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:*:*:*:*", "matchCriteriaId": "3C8F3485-92CB-4F23-A35A-AAA444FDF39E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.4.10:*:*:*:*:*:*:*", "matchCriteriaId": "C8A55A00-BD52-4198-B43A-62919C272AA8", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*", "matchCriteriaId": "6E0DE4E1-5D8D-40F3-8AC8-C7F736966158", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en org.keycloak.broker.saml. Cuando un cliente de Security Assertion Markup Language (SAML) deshabilitado se configura como un objetivo de aterrizaje de intermediario iniciado por un Proveedor de Identidad (IdP), a\u00fan puede completar el proceso de inicio de sesi\u00f3n y establecer una sesi\u00f3n de Single Sign-On (SSO). Esto permite a un atacante remoto obtener acceso no autorizado a otros clientes habilitados sin re-autenticaci\u00f3n, eludiendo eficazmente las restricciones de seguridad."}], "id": "CVE-2026-3047", "lastModified": "2026-03-26T14:20:02.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2026-03-05T19:16:18.383", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2026:3925"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2026:3926"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2026:3947"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2026:3948"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2026-3047"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441966"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-305"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2026:3925", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-operator-bundle:26.2.14-1", "product_name": "Red Hat build of Keycloak 26.2", "release_date": "2026-03-05T00:00:00Z"}, {"advisory": "RHSA-2026:3925", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-rhel9:26.2-16", "product_name": "Red Hat build of Keycloak 26.2", "release_date": "2026-03-05T00:00:00Z"}, {"advisory": "RHSA-2026:3925", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-rhel9-operator:26.2-16", "product_name": "Red Hat build of Keycloak 26.2", "release_date": "2026-03-05T00:00:00Z"}, {"advisory": "RHSA-2026:3926", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-rhel9", "product_name": "Red Hat build of Keycloak 26.2.14", "release_date": "2026-03-05T00:00:00Z"}, {"advisory": "RHSA-2026:3948", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "keycloak-rhel9-container-26.4-12", "product_name": "Red Hat build of Keycloak 26.4", "release_date": "2026-03-05T00:00:00Z"}, {"advisory": "RHSA-2026:3948", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "keycloak-rhel9-operator-bundle-container-26.4.10-1", "product_name": "Red Hat build of Keycloak 26.4", "release_date": "2026-03-05T00:00:00Z"}, {"advisory": "RHSA-2026:3948", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "keycloak-rhel9-operator-container-26.4-12", "product_name": "Red Hat build of Keycloak 26.4", "release_date": "2026-03-05T00:00:00Z"}, {"advisory": "RHSA-2026:3947", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "rhbk/keycloak-rhel9", "product_name": "Red Hat build of Keycloak 26.4.10", "release_date": "2026-03-05T00:00:00Z"}], "bugzilla": {"description": "org.keycloak.broker.saml: Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login", "id": "2441966", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441966"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-305", "details": ["A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that any SAML client intended to be disabled is not configured as an IdP-initiated broker landing target within Keycloak. Review your Keycloak realm configurations to identify and remove any such associations for disabled clients."}, "name": "CVE-2026-3047", "public_date": "2026-03-05T11:24:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3047\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3047"], "statement": "CRITICAL: This flaw allows a disabled SAML client in Keycloak, when configured as an IdP-initiated broker landing target, to still facilitate a successful login. This bypasses the intended security control, granting an authenticated user access to other enabled clients without re-authentication. This issue affects Keycloak instances where a disabled SAML client is configured for IdP-initiated brokering and the user exists in the external Identity Provider.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[26.2.14-1,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Red Hat build of Keycloak 26.2", "source": "cna", "vendor": "Red Hat"}, "product": "red_hat_build_of_keycloak_26.2", "vendor": "red_hat"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[26.2-16,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Red Hat build of Keycloak 26.2", "source": "cna", "vendor": "Red Hat"}, "product": "red_hat_build_of_keycloak_26.2", "vendor": "red_hat"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Red Hat build of Keycloak 26.2.14", "source": "cna", "vendor": "Red Hat"}, "product": "red_hat_build_of_keycloak_26.2.14", "vendor": "red_hat"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[26.4.10-1,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Red Hat build of Keycloak 26.4", "source": "cna", "vendor": "Red Hat"}, "product": "red_hat_build_of_keycloak_26.4", "vendor": "red_hat"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[26.4-12,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Red Hat build of Keycloak 26.4", "source": "cna", "vendor": "Red Hat"}, "product": "red_hat_build_of_keycloak_26.4", "vendor": "red_hat"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Red Hat build of Keycloak 26.4.10", "source": "cna", "vendor": "Red Hat"}, "product": "red_hat_build_of_keycloak_26.4.10", "vendor": "red_hat"}], "created": "2026-03-06T15:01:26.808629+00:00", "updated": "2026-03-06T15:01:26.808749+00:00", "vendors": ["red_hat", "red_hat$PRODUCT$red_hat_build_of_keycloak_26.2", "red_hat$PRODUCT$red_hat_build_of_keycloak_26.2.14", "red_hat$PRODUCT$red_hat_build_of_keycloak_26.4", "red_hat$PRODUCT$red_hat_build_of_keycloak_26.4.10"]}