Executive Summary

CVE-2026-2603 is a high-severity vulnerability in Keycloak that allows a remote attacker to bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins.

Even if the SAML Identity Provider is disabled in Keycloak, the attacker can still complete broker logins because the SAML protocol endpoint remains reachable and Keycloak improperly accepts the authentication.

To exploit this, the attacker must know the broker URL for IdP-initiated logins, have access to the SAML endpoint, and be able to authenticate as a valid user on the external IdP to generate a valid SAML response.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized authentication, allowing attackers to bypass security controls and gain access to systems or data without proper authorization.

Since the attacker can complete broker logins even when the SAML Identity Provider is disabled, it violates confidentiality and authentication guarantees, potentially exposing sensitive information or allowing unauthorized actions.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for unexpected or unauthorized SAML responses sent to the Keycloak SAML endpoint for IdP-initiated broker logins. Since the vulnerability allows bypassing security controls by sending valid SAML responses from an external Identity Provider (IdP), network or system administrators should look for SAML authentication attempts originating from disabled or untrusted IdPs.'}, {'type': 'paragraph', 'content': 'Specifically, administrators can check access logs of the Keycloak server for requests to the SAML endpoint related to IdP-initiated broker logins, especially those that correspond to disabled SAML IdPs.'}, {'type': 'paragraph', 'content': 'While no explicit commands are provided in the resources, general commands to inspect Keycloak logs or network traffic might include:'}, {'type': 'list_item', 'content': "Using grep to search Keycloak server logs for SAML endpoint access: grep 'saml' /path/to/keycloak/logs/server.log"}, {'type': 'list_item', 'content': "Using tcpdump or tshark to capture and analyze SAML traffic on the network: tcpdump -i <interface> -A port 8080 | grep 'SAMLResponse'"}, {'type': 'list_item', 'content': 'Reviewing Keycloak admin console or API logs for broker login attempts from disabled IdPs.'}, {'type': 'paragraph', 'content': 'Detection requires knowledge of the broker URL for IdP-initiated logins and correlating authentication attempts with the status of the IdP in Keycloak.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include ensuring that the vulnerable Keycloak version (such as 26.5.2) is updated to a fixed version where this issue is resolved.

Since the vulnerability arises because the SAML protocol endpoint remains reachable even when the SAML Identity Provider is disabled, administrators should:

• Temporarily disable or restrict access to the SAML endpoint for IdP-initiated broker logins if possible.
• Review and verify the configuration of SAML Identity Providers in Keycloak to ensure that disabled IdPs cannot be used for authentication.
• Implement network-level controls to restrict access to the Keycloak SAML endpoint only to trusted sources.

Ultimately, applying the official patch or upgrade provided by Keycloak or the vendor is the recommended action to fully mitigate the vulnerability.

Useful 0 Not Useful 0