CVE-2026-2575
Denial of Service in Keycloak via SAMLRequest Decompression
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | * |
| jboss | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2575 is a Denial of Service (DoS) vulnerability found in Keycloak. It occurs when an unauthenticated remote attacker sends a highly compressed SAMLRequest message through the SAML Redirect Binding. The Keycloak server does not enforce size limits during the DEFLATE decompression of this request, which can cause excessive memory consumption. This leads to an OutOfMemoryError (OOM) and causes the Keycloak process to terminate, disrupting the service.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to disrupt the availability of your Keycloak service. Since the attack causes the Keycloak process to terminate due to an OutOfMemoryError, it results in a denial of service, making the authentication service unavailable to legitimate users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unusual Keycloak process terminations or OutOfMemoryError (OOM) events caused by highly compressed SAMLRequest messages sent via the SAML Redirect Binding.
Network detection can focus on identifying unusually large or highly compressed SAMLRequest parameters in HTTP requests to the Keycloak server.
While no specific commands are provided in the resources, general approaches include:
- Monitoring Keycloak logs for OOM errors or process crashes.
- Using network packet capture tools (e.g., tcpdump or Wireshark) to filter and analyze HTTP requests containing SAMLRequest parameters.
- Employing system monitoring commands like `dmesg` or `journalctl` to check for memory-related errors or process restarts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or filtering incoming SAMLRequest messages to prevent highly compressed payloads from reaching the Keycloak server.
Since the vulnerability arises from lack of size limits during DEFLATE decompression, applying patches or updates provided by Keycloak or the vendor is the most effective mitigation.
In the absence of patches, consider implementing network-level protections such as Web Application Firewalls (WAFs) to detect and block suspicious SAMLRequest traffic.
Additionally, monitoring system resources and setting limits on memory usage for the Keycloak process can help reduce the impact of potential attacks.