CVE-2026-7307
Analyzed Analyzed - Analysis Complete
Keycloak SAML DoS via XML Entity Expansion

Publication date: 2026-05-19

Last updated on: 2026-06-03

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-06-03
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-7307
EUVD
EUVD-2026-30883
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak From 26.4 (inc) to 26.4.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1286 The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Keycloak, where a remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint.

The malicious input causes excessive CPU usage and worker thread starvation, which leads to a Denial of Service (DoS) condition making the server unavailable.

Impact Analysis

The impact of this vulnerability is a Denial of Service (DoS) on the Keycloak server.

Because the attack causes high CPU usage and worker thread starvation, the server becomes unavailable, potentially disrupting authentication services and access control.

Compliance Impact

The vulnerability causes a Denial of Service (DoS) by making the Keycloak server unavailable due to high CPU usage and worker thread starvation. This impacts the availability aspect of security.

However, there is no information provided about the vulnerability leading to data breaches, unauthorized access, or data integrity issues.

Since compliance standards like GDPR and HIPAA emphasize availability as one of the key principles, this DoS vulnerability could negatively affect compliance by impairing system availability.

No explicit details are given about direct impacts on confidentiality or integrity, or specific compliance violations.

Detection Guidance

This vulnerability can be detected by monitoring the Keycloak server for unusually high CPU usage and worker thread starvation, especially when receiving XML input at the SAML endpoint.

Network detection could involve inspecting incoming traffic to the SAML endpoint for suspicious or unusually large XML payloads that could trigger the denial of service.

Specific commands to detect this condition are not provided in the available resources.

Mitigation Strategies

The provided information does not specify immediate mitigation steps for this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7307. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart