Fluid Attacks Database

Description

Keycloak: Unauthorized access via improper validation of encrypted SAML assertions A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-services	>=26.5.0 <26.5.5 \|\| >=0 <26.2.14 \|\| >=26.3.0 <26.4.10	26.5.5, 26.2.14, 26.4.10
maven	org.keycloak:keycloak-saml-core	>=26.3.0 <26.4.10 \|\| >=0 <26.2.14 \|\| >=26.5.0 <26.5.5	26.4.10, 26.2.14, 26.5.5
maven	org.keycloak:keycloak-saml-adapter-core	>=0 <26.2.14 \|\| >=26.3.0 <26.4.10 \|\| >=26.5.0 <26.5.5	26.2.14, 26.4.10, 26.5.5

Aliases

1. CVE-2026-20922. NVD-2026-20923. OSV-2026-20924. GCVE-2026-20925. access.redhat.com6. access.redhat.com7. access.redhat.com8. access.redhat.com9. ACCESS-CVE-2026-2092

References

1. https://github.com/keycloak/keycloak/commit/b40a25908d937bb0563ea516487bc2c7c1d925082. https://bugzilla.redhat.com/show_bug.cgi?id=2437296