Description
A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure.
Published: 2026-05-28
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote, unauthenticated attacker can send crafted SOAP requests to the SAML ECP endpoint in Keycloak, using different client IDs. The endpoint responds with distinct faultstrings for each request, allowing the attacker to deduce the client's protocol type and thereby learn information that should not be exposed. This flaw has a CVSS score of 5.3, indicating a moderate risk level for confidentiality.

Affected Systems

Red Hat Build of Keycloak. No specific version details are provided in the CNA data, so all releases of the Red Hat Keycloak build are potentially vulnerable.

Risk and Exploitability

The vulnerability is exploitable remotely without authentication and operates entirely through the SAML ECP endpoint. The EPSS score is not available, and the issue is not listed in CISA’s KEV catalog, which suggests that active exploitation is presently unreported or limited. However, the attack vector is straightforward and could be used by threat actors who signal Keycloak installations, especially if the endpoint is exposed to the internet. The moderate CVSS score reflects the potential for information leakage, but lack of a patch and the absence of an official workaround leave administrators without a definitive fix at this time.

Generated by OpenCVE AI on May 28, 2026 at 05:22 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Restrict access to the SAML ECP endpoint so that only trusted networks or IP ranges can reach it.
  • Review and monitor SOAP requests to the endpoint for anomalous faultstring responses, and log any suspicious activity.
  • Apply any future Red Hat patch or update that addresses this flaw as soon as it becomes available.

Generated by OpenCVE AI on May 28, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure.
Title Keycloak: keycloak: information disclosure via saml ecp endpoint
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-209
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Build Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-28T03:44:20.414Z

Reserved: 2026-05-28T03:15:11.408Z

Link: CVE-2026-9794

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T05:16:40.847

Modified: 2026-05-28T05:16:40.847

Link: CVE-2026-9794

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T05:30:06Z

Weaknesses