CVE-2026-1190
SAML Timestamp Validation Bypass in Keycloak Enables Session Extension
Publication date: 2026-01-26
Last updated on: 2026-03-05
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | keycloak | to 2026-01-19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-112 | The product accepts XML from an untrusted source but does not validate the XML against the proper schema. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Keycloak's SAML brokering occurs because Keycloak does not validate the NotOnOrAfter timestamp within the SubjectConfirmationData of a SAML response. While the NotOnOrAfter attribute in the Conditions element is checked, the unchecked timestamp in SubjectConfirmationData allows an attacker to delay the expiration of a SAML response. This means the response can be accepted beyond its intended expiration time, potentially extending session durations or resource usage unexpectedly. However, the vulnerability does not allow tampering or replay attacks since the SAML responses are signed and any modification would invalidate the signature. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to extend the validity period of a SAML response, which may lead to longer than expected session durations or increased resource consumption on the system. This could result in unexpected behavior in session management or resource allocation, potentially affecting system stability or user session control. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying whether your Keycloak instance is configured as a SAML client and checking if it properly validates the NotOnOrAfter attribute within SubjectConfirmationData of SAML responses. Since the vulnerability is due to lack of validation in Keycloak's SAML brokering service, you can monitor Keycloak logs for unusually long session durations or resource consumption that might indicate delayed expiration acceptance. Additionally, you can capture and inspect SAML responses using tools like 'tcpdump' or 'Wireshark' to analyze the SubjectConfirmationData timestamps. There are no specific commands provided to detect the vulnerability directly. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Keycloak to a version that includes the fix which validates the NotBefore and NotOnOrAfter attributes within SubjectConfirmationData in SAML responses. Until an update is applied, consider monitoring and limiting session durations and resource usage as a temporary measure. Also, review your Identity Provider (IdP) configurations to ensure they do not rely solely on SubjectConfirmationData timestamps for session validity. Applying security best practices such as restricting network access to Keycloak and enforcing strict session management policies can help reduce risk. [1]