CVE-2026-2575
Analyzed Analyzed - Analysis Complete
Denial of Service in Keycloak via SAMLRequest Decompression

Publication date: 2026-03-18

Last updated on: 2026-06-03

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-06-03
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2575
EUVD
EUVD-2026-12766
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak From 26.4 (inc) to 26.4.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2575 is a Denial of Service (DoS) vulnerability found in Keycloak. It occurs when an unauthenticated remote attacker sends a highly compressed SAMLRequest message through the SAML Redirect Binding. The Keycloak server does not enforce size limits during the DEFLATE decompression of this request, which can cause excessive memory consumption. This leads to an OutOfMemoryError (OOM) and causes the Keycloak process to terminate, disrupting the service.

Impact Analysis

This vulnerability can impact you by allowing an attacker to disrupt the availability of your Keycloak service. Since the attack causes the Keycloak process to terminate due to an OutOfMemoryError, it results in a denial of service, making the authentication service unavailable to legitimate users.

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves monitoring for unusual Keycloak process terminations or OutOfMemoryError (OOM) events caused by highly compressed SAMLRequest messages sent via the SAML Redirect Binding.

Network detection can focus on identifying unusually large or highly compressed SAMLRequest parameters in HTTP requests to the Keycloak server.

While no specific commands are provided in the resources, general approaches include:

  • Monitoring Keycloak logs for OOM errors or process crashes.
  • Using network packet capture tools (e.g., tcpdump or Wireshark) to filter and analyze HTTP requests containing SAMLRequest parameters.
  • Employing system monitoring commands like `dmesg` or `journalctl` to check for memory-related errors or process restarts.
Mitigation Strategies

Immediate mitigation steps include restricting or filtering incoming SAMLRequest messages to prevent highly compressed payloads from reaching the Keycloak server.

Since the vulnerability arises from lack of size limits during DEFLATE decompression, applying patches or updates provided by Keycloak or the vendor is the most effective mitigation.

In the absence of patches, consider implementing network-level protections such as Web Application Firewalls (WAFs) to detect and block suspicious SAMLRequest traffic.

Additionally, monitoring system resources and setting limits on memory usage for the Keycloak process can help reduce the impact of potential attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2575. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart