CVE-2026-2092
Improper Validation in Keycloak SAML Broker Enables Unauthorized Access
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jboss | keycloak | * |
| keycloak | keycloak-services | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability exists in Keycloak's handling of SAML broker endpoints. Keycloak fails to properly validate encrypted SAML assertions when the overall SAML response is not signed. Specifically, while it ensures that plaintext assertions are signed, it does not enforce the same for encrypted assertions."}, {'type': 'paragraph', 'content': 'An attacker who has a valid signed SAML assertion for themselves can craft a malicious SAML response containing two assertions: an encrypted assertion for an arbitrary principal placed first, and a valid signed assertion for the attacker placed second. Keycloak processes the first encrypted assertion without verifying its signature, allowing the attacker to impersonate another user and gain unauthorized access.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to systems protected by Keycloak. An attacker can impersonate arbitrary users by injecting encrypted assertions that are not properly validated, potentially gaining access to sensitive information or performing actions on behalf of other users.
Additionally, this flaw can result in information disclosure and compromise the integrity and confidentiality of user sessions and data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring SAML responses processed by Keycloak, specifically looking for unsigned SAML responses that contain encrypted assertions placed before valid signed assertions.
You can analyze SAML traffic to identify responses where the overall SAML response is unsigned but contains multiple assertions, with the first assertion being an encrypted assertion.
Commands or tools to assist in detection might include:
- Using network capture tools like tcpdump or Wireshark to capture SAML traffic on the network.
- Extracting and inspecting SAML responses with XML parsing tools or scripts to check the signature status of the response and the order and signature status of assertions.
- Example command to capture traffic on port 8080 (default Keycloak port): `tcpdump -i any port 8080 -w saml_traffic.pcap`
- Use XML parsing tools or custom scripts to analyze the captured SAML responses for unsigned responses containing encrypted assertions placed first.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Keycloak to a version where this vulnerability is fixed, as the issue arises from improper validation of encrypted assertions.
Until an update is applied, consider the following:
- Enforce strict validation policies on SAML responses, ensuring that the entire SAML response is signed, not just individual assertions.
- Restrict or monitor SAML broker endpoint access to trusted sources only.
- Review and audit SAML assertions and responses for anomalies such as unsigned responses containing encrypted assertions.
- Apply network-level controls to detect and block suspicious SAML traffic patterns.