CVE-2026-3047
Unauthorized Access via SAML Client Misconfiguration in Keycloak
Publication date: 2026-03-05
Last updated on: 2026-03-26
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | keycloak | * |
| redhat | build_of_keycloak | * |
| redhat | build_of_keycloak | 26.2 |
| redhat | build_of_keycloak | 26.2.14 |
| redhat | build_of_keycloak | 26.4 |
| redhat | build_of_keycloak | 26.4.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-305 | The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Keycloak SAML broker component where a disabled SAML client can still complete an Identity Provider (IdP)-initiated login process. Even though the client is marked as disabled, it can finalize the login and create a valid Single Sign-On (SSO) session. This means a remote attacker can bypass security restrictions and gain unauthorized access to other enabled clients without needing to re-authenticate.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "The impact of this vulnerability is significant because it allows an attacker to gain unauthorized access to enabled clients within the Keycloak realm without re-authenticating. This unauthorized session creation can lead to access escalation and compromise of sensitive resources or services protected by Keycloak's SSO mechanism."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying if a disabled SAML client is configured as an Identity Provider (IdP)-initiated broker landing target in your Keycloak instance. Since the vulnerability allows a disabled client to complete login and establish SSO sessions, monitoring authentication logs for unexpected successful logins via disabled clients can help identify exploitation attempts.
There are no specific commands provided in the available resources to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves ensuring that disabled SAML clients are not configured as IdP-initiated broker landing targets in your Keycloak configuration. Review and update your Keycloak realm settings to remove or properly disable any such clients to prevent unauthorized session creation.
Additionally, monitor authentication logs for suspicious activity related to SAML clients and consider applying any patches or updates provided by your Keycloak vendor addressing this issue.