Medium severity5.3NVD Advisory· Published Mar 18, 2026· Updated Jun 3, 2026
CVE-2026-2575
CVE-2026-2575
Description
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-saml-adapter-coreMaven | < 26.5.4 | 26.5.4 |
org.keycloak:keycloak-saml-coreMaven | < 26.5.4 | 26.5.4 |
org.keycloak:keycloak-servicesMaven | < 26.5.4 | 26.5.4 |
Affected products
5- Red Hat/Red Hat build of Keycloak 26.4.10v5cpe:/a:redhat:build_keycloak:26.4::el9
- ghsa-coords3 versionspkg:maven/org.keycloak/keycloak-saml-adapter-corepkg:maven/org.keycloak/keycloak-saml-corepkg:maven/org.keycloak/keycloak-services
< 26.5.4+ 2 more
- (no CPE)range: < 26.5.4
- (no CPE)range: < 26.5.4
- (no CPE)range: < 26.5.4
Patches
Vulnerability mechanics
References
8- access.redhat.com/errata/RHSA-2026:3947nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2026:3948nvdVendor AdvisoryWEB
- access.redhat.com/security/cve/CVE-2026-2575nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-xv6h-r36f-3gp5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-2575ghsaADVISORY
- github.com/keycloak/keycloak/commit/4f90ef67f698dfb45df0d2f4981271a7c8b47f04ghsaWEB
- github.com/keycloak/keycloak/issues/46372ghsaWEB
News mentions
0No linked articles in our index yet.