CVE-2026-7307
Keycloak SAML DoS via XML Entity Expansion
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jboss | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1286 | The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Keycloak, where a remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint.
The malicious input causes excessive CPU usage and worker thread starvation, which leads to a Denial of Service (DoS) condition making the server unavailable.
How can this vulnerability impact me? :
The impact of this vulnerability is a Denial of Service (DoS) on the Keycloak server.
Because the attack causes high CPU usage and worker thread starvation, the server becomes unavailable, potentially disrupting authentication services and access control.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a Denial of Service (DoS) by making the Keycloak server unavailable due to high CPU usage and worker thread starvation. This impacts the availability aspect of security.
However, there is no information provided about the vulnerability leading to data breaches, unauthorized access, or data integrity issues.
Since compliance standards like GDPR and HIPAA emphasize availability as one of the key principles, this DoS vulnerability could negatively affect compliance by impairing system availability.
No explicit details are given about direct impacts on confidentiality or integrity, or specific compliance violations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the Keycloak server for unusually high CPU usage and worker thread starvation, especially when receiving XML input at the SAML endpoint.
Network detection could involve inspecting incoming traffic to the SAML endpoint for suspicious or unusually large XML payloads that could trigger the denial of service.
Specific commands to detect this condition are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The provided information does not specify immediate mitigation steps for this vulnerability.