CVE-2026-7307
Description
A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote unauthenticated attacker can trigger a Denial of Service in Keycloak by sending a crafted SAML request causing high CPU usage.
Vulnerability
The vulnerability exists in Keycloak's SAML endpoint. A remote unauthenticated attacker can send a specially crafted XML input to the SAML endpoint, causing excessive CPU consumption and worker thread starvation, leading to a denial of service [1]. Affected versions include Keycloak prior to 26.4.12 and 26.2.16.
Exploitation
No authentication is required. The attacker must have network access to the SAML endpoint. By sending a malicious SAML request, the server processes the XML in a way that consumes high CPU, starving worker threads [1].
Impact
Successful exploitation results in a denial of service, making the Keycloak server unavailable for legitimate requests [1].
Mitigation
Fixed in Keycloak 26.4.12 (standalone and operator images) and Keycloak 26.2.16. Red Hat released security updates RHSA-2026:19596, RHSA-2026:19597, and RHSA-2026:19595 [2][3][4]. Users should upgrade to the fixed versions. No workarounds are documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6News mentions
0No linked articles in our index yet.