Org.keycloak.broker.saml: keycloak saml broker: authentication bypass due to disabled saml client completing idp-initiated login
Description
A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A disabled SAML client configured as an IdP-initiated broker landing target can still complete login and establish an SSO session, allowing unauthorized access to other clients.
Vulnerability
A flaw exists in the Keycloak SAML broker component (org.keycloak.broker.saml) where a disabled Security Assertion Markup Language (SAML) client that is configured as an Identity Provider (IdP)-initiated broker landing target can still complete the login process and establish a Single Sign-On (SSO) session [1][2]. This occurs because the broker does not properly enforce the disabled status during IdP-initiated authentication flows.
Exploitation
An attacker can exploit this vulnerability by initiating a SAML login through the disabled client, bypassing its disabled state. No authentication is required to trigger the flaw, as the attacker only needs to know the client's identifier and be able to send a SAML request to the broker [1]. The attack vector is remote and does not require any special privileges.
Impact
Once the SSO session is established, the attacker gains unauthorized access to other enabled clients within the same Keycloak realm without re-authentication, effectively bypassing security restrictions [1][2]. This can lead to privilege escalation and unauthorized data access.
Mitigation
Red Hat has released security updates for Keycloak versions 26.4.10 and 26.2.14 that address this vulnerability [3][4]. Administrators are advised to apply the patches immediately. No workarounds are currently available.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-broker-samlMaven | <= 1.8.1.Final | — |
Affected products
2- Red Hat/Red Hat build of Keycloak 26.2.14v5cpe:/a:redhat:build_keycloak:26.2::el9
- Red Hat/Red Hat build of Keycloak 26.4.10v5cpe:/a:redhat:build_keycloak:26.4::el9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- access.redhat.com/errata/RHSA-2026:3925ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3926ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3947ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2026:3948ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-8cr3-vpxx-92cxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-3047ghsaADVISORY
- access.redhat.com/security/cve/CVE-2026-3047ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/keycloak/keycloak/releases/tag/26.5.5ghsaWEB
News mentions
0No linked articles in our index yet.