logo

Database

Lack of data validation - Path Traversal In org.keycloak:keycloak-saml-core

Description

Keycloak: Denial of Service via specially crafted SAML input A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-73072. NVD-2026-73073. OSV-2026-73074. GCVE-2026-73075. access.redhat.com6. access.redhat.com7. access.redhat.com8. access.redhat.com9. ACCESS-CVE-2026-7307

References

1. https://github.com/keycloak/keycloak/pull/491192. https://github.com/keycloak/keycloak/commit/be84d28ce4c69c038d542f11405d5ede1d61f4a93. https://bugzilla.redhat.com/show_bug.cgi?id=24765264. https://github.com/keycloak/keycloak/releases/tag/26.6.2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.