{ "threat_severity" : "Important", "public_date" : "2026-03-05T11:24:00Z", "bugzilla" : { "description" : "org.keycloak.broker.saml: Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login", "id" : "2441966", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2441966" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-305", "details" : [ "A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.", "A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions." ], "statement" : "CRITICAL: This flaw allows a disabled SAML client in Keycloak, when configured as an IdP-initiated broker landing target, to still facilitate a successful login. This bypasses the intended security control, granting an authenticated user access to other enabled clients without re-authentication. This issue affects Keycloak instances where a disabled SAML client is configured for IdP-initiated brokering and the user exists in the external Identity Provider.", "affected_release" : [ { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3925", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-operator-bundle:26.2.14-1" }, { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3925", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-rhel9:26.2-16" }, { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3925", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-rhel9-operator:26.2-16" }, { "product_name" : "Red Hat build of Keycloak 26.2.14", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3926", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-rhel9" }, { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3948", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-operator-bundle:26.4.10-1" }, { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3948", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9:26.4-12" }, { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3948", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9-operator:26.4-12" }, { "product_name" : "Red Hat build of Keycloak 26.4.10", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3947", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-3047\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3047" ], "name" : "CVE-2026-3047", "mitigation" : { "value" : "To mitigate this issue, ensure that any SAML client intended to be disabled is not configured as an IdP-initiated broker landing target within Keycloak. Review your Keycloak realm configurations to identify and remove any such associations for disabled clients.", "lang" : "en:us" }, "csaw" : false }