Issued:
2026-03-05
Updated:
2026-03-05

RHSA-2026:3947 - Important: Red Hat build of Keycloak 26.4.10 Update

Synopsis

Important: Red Hat build of Keycloak 26.4.10 Update

Type/Severity

Security Advisory Important

Topic

New Red Hat build of Keycloak 26.4.10 packages are available from the Customer Portal

Description

Red Hat build of Keycloak 26.4.10 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.

Security fixes:

  • Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login (CVE-2026-3047)
  • Improper Enforcement of Disabled Identity Provider in IdentityBrokerService (Authentication Bypass) (CVE-2026-3009)
  • Unauthorized authentication via disabled SAML Identity Provider (CVE-2026-2603)
  • Unauthorized access via improper validation of encrypted SAML assertions (CVE-2026-2092)
  • Missing Check on Disabled Client for Docker Registry Protocol (CVE-2026-2733)
  • Denial of Service due to excessive SAMLRequest decompression (CVE-2026-2575)
  • Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData (CVE-2026-1190)
  • Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass (CVE-2026-0707)

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Affected Products

ProductVersionArch
Red Hat build of KeycloakText-only Advisoriesx86_64

Fixes

(none)

CVEs

References

Additional information