logo

Database

Concurrent sessions In org.keycloak:keycloak-services

Description

Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the NotOnOrAfter timestamp within the SubjectConfirmationData. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-11902. NVD-2026-11903. OSV-2026-11904. GCVE-2026-11905. access.redhat.com6. access.redhat.com7. ACCESS-CVE-2026-1190

References

1. https://github.com/keycloak/keycloak/issues/456462. https://bugzilla.redhat.com/show_bug.cgi?id=24308353. https://github.com/keycloak/keycloak

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.