High severityNVD Advisory· Published Mar 18, 2026· Updated Mar 18, 2026
Keycloak: keycloak: unauthorized authentication via disabled saml identity provider
CVE-2026-2603
Description
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | < 26.5.5 | 26.5.5 |
org.keycloak:keycloak-server-spi-privateMaven | < 26.5.5 | 26.5.5 |
Affected products
3- Red Hat/Red Hat build of Keycloak 26.2.14v5cpe:/a:redhat:build_keycloak:26.2::el9
- Red Hat/Red Hat build of Keycloak 26.4.10v5cpe:/a:redhat:build_keycloak:26.4::el9
Patches
Vulnerability mechanics
References
13- access.redhat.com/errata/RHSA-2026:3925ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3926ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3947ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3948ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-x4p7-7chp-64hqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-2603ghsaADVISORY
- access.redhat.com/security/cve/CVE-2026-2603ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/keycloak/keycloak/commit/4fd5367e6cc28cfa68fb2240fc459c12b1fdbf2aghsaWEB
- github.com/keycloak/keycloak/commit/8ed7e59dc08d79751a27c23aadb590f06b43f132ghsaWEB
- github.com/keycloak/keycloak/commits/26.5.5ghsaWEB
- github.com/keycloak/keycloak/issues/46911ghsaWEB
- github.com/keycloak/keycloak/pull/46932ghsaWEB
News mentions
0No linked articles in our index yet.