VYPR
High severityNVD Advisory· Published Mar 18, 2026· Updated Mar 18, 2026

Keycloak-services: keycloak: unauthorized access via improper validation of encrypted saml assertions

CVE-2026-2092

Description

A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-saml-adapter-coreMaven
< 26.2.1426.2.14
org.keycloak:keycloak-saml-coreMaven
>= 26.3.0, < 26.4.1026.4.10
org.keycloak:keycloak-servicesMaven
>= 26.5.0, < 26.5.526.5.5
org.keycloak:keycloak-saml-adapter-coreMaven
>= 26.3.0, < 26.4.1026.4.10
org.keycloak:keycloak-saml-adapter-coreMaven
>= 26.5.0, < 26.5.526.5.5
org.keycloak:keycloak-servicesMaven
< 26.2.1426.2.14
org.keycloak:keycloak-servicesMaven
>= 26.3.0, < 26.4.1026.4.10
org.keycloak:keycloak-saml-coreMaven
< 26.2.1426.2.14
org.keycloak:keycloak-saml-coreMaven
>= 26.5.0, < 26.5.526.5.5

Affected products

5

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.

CVE-2026-2092 · high · VYPR