CVE-2026-3047
Awaiting Analysis Awaiting Analysis - Queue
Unauthorized Access via SAML Client Misconfiguration in Keycloak

Publication date: 2026-03-05

Last updated on: 2026-03-26

Assigner: Red Hat, Inc.

Description
A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3047
EUVD
EUVD-2026-9864
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
redhat keycloak *
redhat build_of_keycloak *
redhat build_of_keycloak 26.2
redhat build_of_keycloak 26.2.14
redhat build_of_keycloak 26.4
redhat build_of_keycloak 26.4.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-305 The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Keycloak SAML broker component where a disabled SAML client can still complete an Identity Provider (IdP)-initiated login process. Even though the client is marked as disabled, it can finalize the login and create a valid Single Sign-On (SSO) session. This means a remote attacker can bypass security restrictions and gain unauthorized access to other enabled clients without needing to re-authenticate.

Impact Analysis

[{'type': 'paragraph', 'content': "The impact of this vulnerability is significant because it allows an attacker to gain unauthorized access to enabled clients within the Keycloak realm without re-authenticating. This unauthorized session creation can lead to access escalation and compromise of sensitive resources or services protected by Keycloak's SSO mechanism."}] [1]

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves verifying if a disabled SAML client is configured as an Identity Provider (IdP)-initiated broker landing target in your Keycloak instance. Since the vulnerability allows a disabled client to complete login and establish SSO sessions, monitoring authentication logs for unexpected successful logins via disabled clients can help identify exploitation attempts.

There are no specific commands provided in the available resources to detect this vulnerability directly.

Mitigation Strategies

Immediate mitigation involves ensuring that disabled SAML clients are not configured as IdP-initiated broker landing targets in your Keycloak configuration. Review and update your Keycloak realm settings to remove or properly disable any such clients to prevent unauthorized session creation.

Additionally, monitor authentication logs for suspicious activity related to SAML clients and consider applying any patches or updates provided by your Keycloak vendor addressing this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3047. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart