{ "threat_severity" : "Low", "public_date" : "2026-01-19T08:08:00Z", "bugzilla" : { "description" : "org.keycloak/keycloak-services: Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData", "id" : "2430835", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2430835" }, "cvss3" : { "cvss3_base_score" : "3.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-112", "details" : [ "A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.", "A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption." ], "statement" : "This vulnerability is rated Low for Red Hat products. In the Red Hat context, this flaw in Keycloak's SAML brokering functionality allows an attacker to delay the expiration of SAML responses by not validating the `NotOnOrAfter` timestamp in `SubjectConfirmationData`. This could lead to unexpected session durations or increased resource consumption.", "acknowledgement" : "Red Hat would like to thank Franz Bettag (Bettag Systems) for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3948", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-operator-bundle:26.4.10-1" }, { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3948", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9:26.4-12" }, { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3948", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9-operator:26.4-12" }, { "product_name" : "Red Hat build of Keycloak 26.4.10", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3947", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9" } ], "package_state" : [ { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Fix deferred", "package_name" : "keycloak-services", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Fix deferred", "package_name" : "keycloak-services", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Fix deferred", "package_name" : "keycloak-services", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-1190\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1190" ], "name" : "CVE-2026-1190", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }