{ "threat_severity" : "Important", "public_date" : "2026-03-05T11:23:00Z", "bugzilla" : { "description" : "keycloak: Keycloak: Unauthorized authentication via disabled SAML Identity Provider", "id" : "2440300", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2440300" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-306", "details" : [ "A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.", "A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication." ], "statement" : "This important flaw in Red Hat Build of Keycloak allows a remote attacker to bypass security controls. A disabled SAML Identity Provider can still be exploited for unauthorized authentication via IdP-initiated broker logins if the SAML protocol endpoint is reachable and the attacker knows the broker URL.", "acknowledgement" : "Red Hat would like to thank Joy Gilbert and Reynaldo Immanuel for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3925", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-operator-bundle:26.2.14-1" }, { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3925", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-rhel9:26.2-16" }, { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3925", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-rhel9-operator:26.2-16" }, { "product_name" : "Red Hat build of Keycloak 26.2.14", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3926", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-rhel9" }, { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3948", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-operator-bundle:26.4.10-1" }, { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3948", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9:26.4-12" }, { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3948", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9-operator:26.4-12" }, { "product_name" : "Red Hat build of Keycloak 26.4.10", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3947", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-2603\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2603" ], "name" : "CVE-2026-2603", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }