CVE-2026-1190
Unknown Unknown - Not Provided
SAML Timestamp Validation Bypass in Keycloak Enables Session Extension

Publication date: 2026-01-26

Last updated on: 2026-03-05

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1190
EUVD
EUVD-2026-4670
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor keycloak to 2026-01-19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-112 The product accepts XML from an untrusted source but does not validate the XML against the proper schema.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Keycloak's SAML brokering occurs because Keycloak does not validate the NotOnOrAfter timestamp within the SubjectConfirmationData of a SAML response. While the NotOnOrAfter attribute in the Conditions element is checked, the unchecked timestamp in SubjectConfirmationData allows an attacker to delay the expiration of a SAML response. This means the response can be accepted beyond its intended expiration time, potentially extending session durations or resource usage unexpectedly. However, the vulnerability does not allow tampering or replay attacks since the SAML responses are signed and any modification would invalidate the signature. [1]

Impact Analysis

The vulnerability can impact you by allowing an attacker to extend the validity period of a SAML response, which may lead to longer than expected session durations or increased resource consumption on the system. This could result in unexpected behavior in session management or resource allocation, potentially affecting system stability or user session control. [1]

Detection Guidance

Detection of this vulnerability involves verifying whether your Keycloak instance is configured as a SAML client and checking if it properly validates the NotOnOrAfter attribute within SubjectConfirmationData of SAML responses. Since the vulnerability is due to lack of validation in Keycloak's SAML brokering service, you can monitor Keycloak logs for unusually long session durations or resource consumption that might indicate delayed expiration acceptance. Additionally, you can capture and inspect SAML responses using tools like 'tcpdump' or 'Wireshark' to analyze the SubjectConfirmationData timestamps. There are no specific commands provided to detect the vulnerability directly. [1]

Mitigation Strategies

The immediate mitigation step is to update Keycloak to a version that includes the fix which validates the NotBefore and NotOnOrAfter attributes within SubjectConfirmationData in SAML responses. Until an update is applied, consider monitoring and limiting session durations and resource usage as a temporary measure. Also, review your Identity Provider (IdP) configurations to ensure they do not rely solely on SubjectConfirmationData timestamps for session validity. Applying security best practices such as restricting network access to Keycloak and enforcing strict session management policies can help reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1190. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart