logo

Database

Authentication mechanism absence or evasion In org.keycloak:keycloak-services

Description

Keycloak: Unauthorized authentication via disabled SAML Identity Provider A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-26032. NVD-2026-26033. OSV-2026-26034. GCVE-2026-26035. access.redhat.com6. access.redhat.com7. access.redhat.com8. access.redhat.com9. ACCESS-CVE-2026-2603

References

1. https://github.com/keycloak/keycloak/issues/469112. https://github.com/keycloak/keycloak/pull/469323. https://github.com/keycloak/keycloak/commit/4fd5367e6cc28cfa68fb2240fc459c12b1fdbf2a4. https://github.com/keycloak/keycloak/commit/8ed7e59dc08d79751a27c23aadb590f06b43f1325. https://bugzilla.redhat.com/show_bug.cgi?id=24403006. https://github.com/keycloak/keycloak/commits/26.5.5

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-IHM5V – Vulnerability | Fluid Attacks Database