CVE-2026-7307 - Vulnerability Details

- Keycloak: keycloak: denial of service via specially crafted saml input

Description

A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.

Published: 2026-05-19

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Keycloak allows a remote, unauthenticated attacker to send a specially crafted XML payload to the Security Assertion Markup Language (SAML) endpoint. The malformed input triggers intensive CPU usage and worker thread starvation, eventually exhausting system resources and rendering the server unavailable. This weakness is classified under CWE‑1286, indicating improper resource handling that permits denial of service.

Affected Systems

All deployments of Red Hat Build of Keycloak that expose the SAML endpoint are impacted; no specific version range is provided in the advisory, so any installation without a patch is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.5 signals a high severity, while the EPSS score is not available, leaving the practical exploitation probability unclear. The vulnerability does not require authentication and relies solely on network access to the SAML endpoint, making it readily exploitable by any host that can reach the service. The attack is straightforward for an attacker, but the effect is limited to service availability, and the issue is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Build of Keycloak	unknown	—

No data.

No data available yet.

Remediation

Vendor Workaround

To mitigate this vulnerability, restrict network access to the Keycloak SAML endpoint to trusted networks and clients. Implement firewall rules to limit inbound connections to the Keycloak service port (e.g., 8080) from untrusted sources. If the SAML protocol is not required for your deployment, consider disabling it to eliminate the attack surface. Applying these network restrictions or configuration changes may necessitate a restart or reload of the Keycloak service, which could temporarily affect its availability.

OpenCVE Recommended Actions

Restrict network access to the Keycloak SAML endpoint to trusted networks; apply firewall rules to limit inbound traffic on the Keycloak service port (e.g., 8080) from untrusted sources.
If the SAML protocol is not required for your deployment, disable the SAML feature to eliminate the attack surface.
Apply the mitigation changes by restarting or reloading the Keycloak service; verify that the service remains operational afterwards.

Generated by OpenCVE AI on May 19, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0008.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-7307
https://bugzilla.redhat.com/show_bug.cgi?id=2476526
https://nvd.nist.gov/vuln/detail/CVE-2026-7307
https://www.cve.org/CVERecord?id=CVE-2026-7307

History

Tue, 19 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 19 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-7307 https://www.cve.org/CVERecord?id=CVE-2026-7307
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 19 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.
Title		Keycloak: keycloak: denial of service via specially crafted saml input
First Time appeared		Redhat Redhat build Keycloak
Weaknesses		CWE-1286
CPEs		cpe:/a:redhat:build_keycloak:
Vendors & Products		Redhat Redhat build Keycloak
References		https://access.redhat.com/security/cve/CVE-2026-7307 https://bugzilla.redhat.com/show_bug.cgi?id=2476526
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Redhat Build Keycloak

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-05-19T10:52:24.684Z

Updated: 2026-05-19T13:41:35.005Z

Reserved: 2026-04-28T11:51:30.176Z

Link: CVE-2026-7307

Vulnrichment

Updated: 2026-05-19T12:49:13.897Z

NVD

Status : Awaiting Analysis

Published: 2026-05-19T12:16:19.423

Modified: 2026-05-19T14:25:40.320

Link: CVE-2026-7307

Redhat

Severity : Important

Publid Date: 2026-05-19T10:42:34Z

Links: CVE-2026-7307 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-19T12:30:05Z

Weaknesses

CWE-1286

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object