High severityNVD Advisory· Published Mar 5, 2026· Updated Mar 24, 2026
Org.keycloak/keycloak-services: improper enforcement of disabled identity provider in identitybrokerservice (authentication bypass)
CVE-2026-3009
Description
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | < 26.5.5 | 26.5.5 |
Affected products
5- Red Hat/Red Hat build of Keycloak 26.4.10v5cpe:/a:redhat:build_keycloak:26.4::el9
- cpe:/a:redhat:jbosseapxp
- cpe:/a:redhat:jboss_enterprise_application_platform:8
- cpe:/a:redhat:red_hat_single_sign_on:7
Patches
Vulnerability mechanics
References
9- access.redhat.com/errata/RHSA-2026:3947ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3948ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-m297-3jv9-m927ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-3009ghsaADVISORY
- access.redhat.com/security/cve/CVE-2026-3009ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/keycloak/keycloak/commit/4fd5367e6cc28cfa68fb2240fc459c12b1fdbf2aghsaWEB
- github.com/keycloak/keycloak/issues/46911ghsaWEB
- github.com/keycloak/keycloak/releases/tag/26.5.5ghsaWEB
News mentions
0No linked articles in our index yet.