CVE-2026-7307 - Vulnerability Details

- Keycloak: keycloak: denial of service via specially crafted saml input

Description

A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.

Published: 2026-05-19

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Keycloak allows a remote, unauthenticated attacker to send a specially crafted XML payload to the Security Assertion Markup Language (SAML) endpoint. The malformed input triggers intensive CPU usage and worker thread starvation, eventually exhausting system resources and rendering the server unavailable. This weakness is classified under CWE‑1286, indicating improper resource handling that permits denial of service.

Affected Systems

All deployments of Red Hat Build of Keycloak that expose the SAML endpoint are impacted; no specific version range is provided in the advisory, so any installation without a patch is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.5 signals a high severity, while the EPSS score is not available, leaving the practical exploitation probability unclear. The vulnerability does not require authentication and relies solely on network access to the SAML endpoint, making it readily exploitable by any host that can reach the service. The attack is straightforward for an attacker, but the effect is limited to service availability, and the issue is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Red Hat

Red Hat build of Keycloak 26.2

affected

Version	Status	Constraints
`26.2.16-1`	unaffected	< *

Red Hat

Red Hat build of Keycloak 26.2

affected

Version	Status	Constraints
`26.2-21`	unaffected	< *

Red Hat

Red Hat build of Keycloak 26.2

affected

Version	Status	Constraints
`26.2-21`	unaffected	< *

Red Hat Red Hat build of Keycloak 26.2.16 unaffected —

Red Hat

Red Hat build of Keycloak 26.4

affected

Version	Status	Constraints
`26.4.12-1`	unaffected	< *

Red Hat

Red Hat build of Keycloak 26.4

affected

Version	Status	Constraints
`26.4-17`	unaffected	< *

Red Hat

Red Hat build of Keycloak 26.4

affected

Version	Status	Constraints
`26.4-17`	unaffected	< *

Red Hat Red Hat build of Keycloak 26.4.12 unaffected —

Configuration 1 [-]

cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Redhat

Build Of Keycloak

95%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

To mitigate this vulnerability, restrict network access to the Keycloak SAML endpoint to trusted networks and clients. Implement firewall rules to limit inbound connections to the Keycloak service port (e.g., 8080) from untrusted sources. If the SAML protocol is not required for your deployment, consider disabling it to eliminate the attack surface. Applying these network restrictions or configuration changes may necessitate a restart or reload of the Keycloak service, which could temporarily affect its availability.

OpenCVE Recommended Actions

Restrict network access to the Keycloak SAML endpoint to trusted networks; apply firewall rules to limit inbound traffic on the Keycloak service port (e.g., 8080) from untrusted sources.
If the SAML protocol is not required for your deployment, disable the SAML feature to eliminate the attack surface.
Apply the mitigation changes by restarting or reloading the Keycloak service; verify that the service remains operational afterwards.

Generated by OpenCVE AI on May 19, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-p5mv-gj8j-xqgf	Keycloak: Denial of Service via specially crafted SAML input

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00059.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://access.redhat.com/errata/RHSA-2026:19594
https://access.redhat.com/errata/RHSA-2026:19595
https://access.redhat.com/errata/RHSA-2026:19596
https://access.redhat.com/errata/RHSA-2026:19597
https://access.redhat.com/security/cve/CVE-2026-7307
https://bugzilla.redhat.com/show_bug.cgi?id=2476526
https://nvd.nist.gov/vuln/detail/CVE-2026-7307
https://www.cve.org/CVERecord?id=CVE-2026-7307

History

Wed, 03 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:redhat:build_of_keycloak::::::::

Wed, 20 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2026:19595 https://access.redhat.com/errata/RHSA-2026:19596

Wed, 20 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:build_keycloak:~~	cpe:/a:redhat:build_keycloak:26.2::el9 cpe:/a:redhat:build_keycloak:26.4::el9
References		https://access.redhat.com/errata/RHSA-2026:19594 https://access.redhat.com/errata/RHSA-2026:19597

Wed, 20 May 2026 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat build Of Keycloak
Vendors & Products		Redhat build Of Keycloak

Tue, 19 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 19 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-7307 https://www.cve.org/CVERecord?id=CVE-2026-7307
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 19 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.
Title		Keycloak: keycloak: denial of service via specially crafted saml input
First Time appeared		Redhat Redhat build Keycloak
Weaknesses		CWE-1286
CPEs		cpe:/a:redhat:build_keycloak:
Vendors & Products		Redhat Redhat build Keycloak
References		https://access.redhat.com/security/cve/CVE-2026-7307 https://bugzilla.redhat.com/show_bug.cgi?id=2476526
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Redhat Build Keycloak Build Of Keycloak

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-05-19T10:52:24.684Z

Updated: 2026-05-20T15:48:13.891Z

Reserved: 2026-04-28T11:51:30.176Z

Link: CVE-2026-7307

Vulnrichment

Updated: 2026-05-19T12:49:13.897Z

NVD

Status : Analyzed

Published: 2026-05-19T12:16:19.423

Modified: 2026-06-03T19:52:44.410

Link: CVE-2026-7307

Redhat

Severity : Important

Publid Date: 2026-05-19T10:42:34Z

Links: CVE-2026-7307 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-20T02:30:05Z

Weaknesses

CWE-1286
Improper Validation of Syntactic Correctness of Input

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object