VYPR
← All advisories
Medium severity5.3NVD Advisory· Published May 28, 2026

CVE-2026-9794

CVE-2026-9794

Description

A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Keycloak SAML ECP endpoint leaks client protocol type to unauthenticated remote attackers via SOAP fault messages.

Vulnerability

A flaw exists in Keycloak's SAML ECP (Enhanced Client or Proxy) endpoint. A remote, unauthenticated attacker can send specially crafted SOAP requests to this endpoint with varying client IDs. By observing the distinct fault strings returned in the SOAP responses, the attacker can determine the protocol type of the targeted client. This affects versions prior to the fix released on 2026-05-28 [1][2].

Exploitation

The attacker requires network access to reach the Keycloak SAML ECP endpoint. No authentication is needed. The attacker crafts SOAP requests with different client IDs and sends them to the endpoint. The endpoint responds with distinct fault strings depending on the client's protocol type, allowing the attacker to differentiate between client types [1][2].

Impact

Successful exploitation allows an attacker to determine the protocol type (e.g., SAML vs. OIDC) of arbitrary clients known to the Keycloak instance. This is an information disclosure that leaks client configuration details, which may aid in further attacks targeting specific client types [1][2].

Mitigation

Red Hat has released a fix for Keycloak as of the 2026-05-28 publication date. Users should update to the latest patched version of Keycloak. No workarounds are mentioned in the available references [1][2].

References
  1. cve-details
  2. Information disclosure via SAML ECP endpoint

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.