Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-2733 (GCVE-0-2026-2733)
Vulnerability from cvelistv5 – Published: 2026-02-19 07:48 – Updated: 2026-03-06 03:31
VLAI?
EPSS
Title
Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol
Summary
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.
Severity ?
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4.10-1 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||
Date Public ?
2026-02-19 00:00
Credits
Red Hat would like to thank Joy Gilbert and Reynaldo Immanuel for reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2733",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:31:08.199908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:31:19.914Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4.10-1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-12",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-12",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4.10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat Build of Keycloak",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat Build of Keycloak",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
],
"defaultStatus": "affected",
"packageName": "keycloak-services",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"defaultStatus": "affected",
"packageName": "keycloak-services",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7"
],
"defaultStatus": "affected",
"packageName": "keycloak-services",
"product": "Red Hat Single Sign-On 7",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Joy Gilbert and Reynaldo Immanuel for reporting this issue."
}
],
"datePublic": "2026-02-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client \u201cEnabled\u201d setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T03:31:23.662Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:3947",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3947"
},
{
"name": "RHSA-2026:3948",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3948"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-2733"
},
{
"name": "RHBZ#2440895",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440895"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-19T07:14:36.991Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-02-19T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-285: Improper Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-2733",
"datePublished": "2026-02-19T07:48:08.910Z",
"dateReserved": "2026-02-19T07:15:32.860Z",
"dateUpdated": "2026-03-06T03:31:23.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-2733\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2026-02-19T08:16:17.980\",\"lastModified\":\"2026-03-05T22:16:25.207\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client \u201cEnabled\u201d setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.\"},{\"lang\":\"es\",\"value\":\"Se identific\u00f3 una vulnerabilidad en el endpoint de autenticaci\u00f3n Docker v2 de Keycloak, donde los tokens contin\u00faan siendo emitidos incluso despu\u00e9s de que un cliente de registro Docker haya sido deshabilitado administrativamente. Esto significa que al cambiar la configuraci\u00f3n \u0027Enabled\u0027 del cliente a OFF no se impide completamente el acceso. Como resultado, las credenciales previamente v\u00e1lidas a\u00fan pueden ser utilizadas para obtener tokens de autenticaci\u00f3n. Esto debilita los controles administrativos y podr\u00eda permitir un acceso no intencionado a los recursos del registro de contenedores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":3.8,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2026:3947\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:3948\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-2733\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2440895\",\"source\":\"secalert@redhat.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-2733\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-19T21:31:08.199908Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-19T21:31:14.292Z\"}}], \"cna\": {\"title\": \"Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol\", \"credits\": [{\"lang\": \"en\", \"value\": \"Red Hat would like to thank Joy Gilbert and Reynaldo Immanuel for reporting this issue.\"}], \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Low\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.4.10-1\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-operator-bundle\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.4-12\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.4-12\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9-operator\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4.10\", \"packageName\": \"rhbk/keycloak-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Build of Keycloak\", \"packageName\": \"rhbk/keycloak-operator-bundle\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Build of Keycloak\", \"packageName\": \"rhbk/keycloak-rhel9-operator\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_application_platform:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Enterprise Application Platform 8\", \"packageName\": \"keycloak-services\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jbosseapxp\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Enterprise Application Platform Expansion Pack\", \"packageName\": \"keycloak-services\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:red_hat_single_sign_on:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Single Sign-On 7\", \"packageName\": \"keycloak-services\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-02-19T07:14:36.991Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-02-19T00:00:00.000Z\", \"value\": \"Made public.\"}], \"datePublic\": \"2026-02-19T00:00:00.000Z\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2026:3947\", \"name\": \"RHSA-2026:3947\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:3948\", \"name\": \"RHSA-2026:3948\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2026-2733\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2440895\", \"name\": \"RHBZ#2440895\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\"}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client \\u201cEnabled\\u201d setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"Improper Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2026-03-06T03:31:23.662Z\"}, \"x_redhatCweChain\": \"CWE-285: Improper Authorization\"}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-2733\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-06T03:31:23.662Z\", \"dateReserved\": \"2026-02-19T07:15:32.860Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2026-02-19T07:48:08.910Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
WID-SEC-W-2026-0454
Vulnerability from csaf_certbund - Published: 2026-02-18 23:00 - Updated: 2026-03-05 23:00Summary
Keycloak: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
Severity
Niedrig
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Keycloak ermöglicht Single Sign-On mit Identity and Access Management für moderne Anwendungen und Dienste.
Angriff: Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Keycloak ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
Betroffene Betriebssysteme: - Linux
- UNIX
References
{
"document": {
"aggregate_severity": {
"text": "niedrig"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Keycloak erm\u00f6glicht Single Sign-On mit Identity and Access Management f\u00fcr moderne Anwendungen und Dienste.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Keycloak ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0454 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0454.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0454 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0454"
},
{
"category": "external",
"summary": "Red Hat Bugtracker vom 2026-02-18",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440895"
},
{
"category": "external",
"summary": "RedHat Customer Portal vom 2026-02-18",
"url": "https://access.redhat.com/security/cve/cve-2026-2733"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:3947 vom 2026-03-05",
"url": "https://access.redhat.com/errata/RHSA-2026:3947"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:3948 vom 2026-03-05",
"url": "https://access.redhat.com/errata/RHSA-2026:3948"
}
],
"source_lang": "en-US",
"title": "Keycloak: Schwachstelle erm\u00f6glicht Umgehen von Sicherheitsvorkehrungen",
"tracking": {
"current_release_date": "2026-03-05T23:00:00.000+00:00",
"generator": {
"date": "2026-03-06T09:42:30.412+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0454",
"initial_release_date": "2026-02-18T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-02-18T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-03-05T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Open Source Keycloak",
"product": {
"name": "Open Source Keycloak",
"product_id": "T051021",
"product_identification_helper": {
"cpe": "cpe:/a:keycloak:keycloak:-"
}
}
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-2733",
"product_status": {
"known_affected": [
"T051021",
"67646"
]
},
"release_date": "2026-02-18T23:00:00.000+00:00",
"title": "CVE-2026-2733"
}
]
}
RHSA-2026:3947
Vulnerability from csaf_redhat - Published: 2026-03-05 19:07 - Updated: 2026-03-24 11:30Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.4.10 Update
Severity
Important
Notes
Topic: New Red Hat build of Keycloak 26.4.10 packages are available from the Customer Portal
Details: Red Hat build of Keycloak 26.4.10 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
Security fixes:
* Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login (CVE-2026-3047)
* Improper Enforcement of Disabled Identity Provider in IdentityBrokerService (Authentication Bypass) (CVE-2026-3009)
* Unauthorized authentication via disabled SAML Identity Provider (CVE-2026-2603)
* Unauthorized access via improper validation of encrypted SAML assertions (CVE-2026-2092)
* Missing Check on Disabled Client for Docker Registry Protocol (CVE-2026-2733)
* Denial of Service due to excessive SAMLRequest decompression (CVE-2026-2575)
* Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData (CVE-2026-1190)
* Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass (CVE-2026-0707)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.
5.3 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3947
Workaround
To mitigate this issue, configure any front-end security controls, such as Web Application Firewalls (WAFs) or reverse proxies, to strictly validate and normalize the `Authorization` header before forwarding requests to Keycloak. This ensures that only standard Bearer token formats are processed, preventing potential bypasses.
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.
CWE-112 - Missing XML Validation
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3947
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.
7.7 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3947
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.
5.3 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3947
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.
8.1 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3947
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.
CWE-285 - Improper Authorization
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3947
Workaround
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
8.1 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3947
Workaround
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.
8.8 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3947
Workaround
To mitigate this issue, ensure that any SAML client intended to be disabled is not configured as an IdP-initiated broker landing target within Keycloak. Review your Keycloak realm configurations to identify and remove any such associations for disabled clients.
References
| URL | Category | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Acknowledgments
Guanping Zhang
Bettag Systems
Franz Bettag
Oleh Konko
GMO Cybersecurity by Ierae, Inc.
Sho Odagiri
Reynaldo Immanuel
Joy Gilbert
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat build of Keycloak 26.4.10 packages are available from the Customer Portal",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak 26.4.10 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nSecurity fixes:\n* Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login (CVE-2026-3047)\n* Improper Enforcement of Disabled Identity Provider in IdentityBrokerService (Authentication Bypass) (CVE-2026-3009)\n* Unauthorized authentication via disabled SAML Identity Provider (CVE-2026-2603)\n* Unauthorized access via improper validation of encrypted SAML assertions (CVE-2026-2092)\n* Missing Check on Disabled Client for Docker Registry Protocol (CVE-2026-2733)\n* Denial of Service due to excessive SAMLRequest decompression (CVE-2026-2575)\n* Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData (CVE-2026-1190)\n* Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass (CVE-2026-0707)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:3947",
"url": "https://access.redhat.com/errata/RHSA-2026:3947"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3947.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.4.10 Update",
"tracking": {
"current_release_date": "2026-03-24T11:30:07+00:00",
"generator": {
"date": "2026-03-24T11:30:07+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2026:3947",
"initial_release_date": "2026-03-05T19:07:56+00:00",
"revision_history": [
{
"date": "2026-03-05T19:07:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-05T19:07:56+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-24T11:30:07+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.4.10",
"product": {
"name": "Red Hat build of Keycloak 26.4.10",
"product_id": "Red Hat build of Keycloak 26.4.10",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Guanping Zhang"
]
}
],
"cve": "CVE-2026-0707",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-01-08T02:51:20.440000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2427768"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the \"Bearer\" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Moderate for Red Hat because Keycloak\u0027s excessive tolerance for non-standard Bearer token formats in the Authorization header can lead to inconsistencies with front-end security controls such as WAFs and proxies. This may enable potential bypass risks, allowing malformed tokens to circumvent intended security policies.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.10"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-0707"
},
{
"category": "external",
"summary": "RHBZ#2427768",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427768"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-0707",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0707"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-0707",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0707"
}
],
"release_date": "2026-01-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:07:56+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3947"
},
{
"category": "workaround",
"details": "To mitigate this issue, configure any front-end security controls, such as Web Application Firewalls (WAFs) or reverse proxies, to strictly validate and normalize the `Authorization` header before forwarding requests to Keycloak. This ensures that only standard Bearer token formats are processed, preventing potential bypasses.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass"
},
{
"acknowledgments": [
{
"names": [
"Franz Bettag"
],
"organization": "Bettag Systems"
}
],
"cve": "CVE-2026-1190",
"cwe": {
"id": "CWE-112",
"name": "Missing XML Validation"
},
"discovery_date": "2026-01-19T13:38:52.676000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430835"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Low for Red Hat products. In the Red Hat context, this flaw in Keycloak\u0027s SAML brokering functionality allows an attacker to delay the expiration of SAML responses by not validating the `NotOnOrAfter` timestamp in `SubjectConfirmationData`. This could lead to unexpected session durations or increased resource consumption.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.10"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-1190"
},
{
"category": "external",
"summary": "RHBZ#2430835",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430835"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-1190",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1190"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1190",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1190"
}
],
"release_date": "2026-01-19T08:08:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:07:56+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3947"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.keycloak/keycloak-services: Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData"
},
{
"acknowledgments": [
{
"names": [
"Oleh Konko"
]
}
],
"cve": "CVE-2026-2092",
"cwe": {
"id": "CWE-1287",
"name": "Improper Validation of Specified Type of Input"
},
"discovery_date": "2026-02-06T10:25:16.675000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437296"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Keycloak\u0027s Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak-services: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The issue is rated as important severity. A flaw in Red Hat Build of Keycloak\u0027s SAML broker endpoint allows unauthorized access. When the overall SAML response is not signed, an attacker with a valid signed SAML assertion can craft a malicious response to inject an encrypted assertion for an arbitrary principal. This leads to unauthorized access and potential information disclosure.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.10"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2092"
},
{
"category": "external",
"summary": "RHBZ#2437296",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437296"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2092",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2092"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2092",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2092"
}
],
"release_date": "2026-03-05T12:34:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:07:56+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3947"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak-services: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions"
},
{
"acknowledgments": [
{
"names": [
"Sho Odagiri"
],
"organization": "GMO Cybersecurity by Ierae, Inc."
}
],
"cve": "CVE-2026-2575",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2026-02-16T08:36:10.890000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440149"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service due to excessive SAMLRequest decompression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This MODERATE impact denial of service flaw affects Red Hat Build of Keycloak (RHBK). An unauthenticated remote attacker can exploit this by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server\u0027s inability to enforce size limits during DEFLATE decompression leads to an OutOfMemoryError, causing process termination and disrupting service availability. This vulnerability is applicable when Keycloak is configured to use SAML Redirect Binding.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.10"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2575"
},
{
"category": "external",
"summary": "RHBZ#2440149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440149"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2575",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2575"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2575",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2575"
}
],
"release_date": "2026-02-16T08:08:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:07:56+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3947"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Denial of Service due to excessive SAMLRequest decompression"
},
{
"acknowledgments": [
{
"names": [
"Reynaldo Immanuel",
"Joy Gilbert"
]
}
],
"cve": "CVE-2026-2603",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2026-02-16T21:15:53.373000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440300"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Unauthorized authentication via disabled SAML Identity Provider",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This important flaw in Red Hat Build of Keycloak allows a remote attacker to bypass security controls. A disabled SAML Identity Provider can still be exploited for unauthorized authentication via IdP-initiated broker logins if the SAML protocol endpoint is reachable and the attacker knows the broker URL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.10"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2603"
},
{
"category": "external",
"summary": "RHBZ#2440300",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440300"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2603",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2603"
}
],
"release_date": "2026-03-05T11:23:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:07:56+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3947"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Unauthorized authentication via disabled SAML Identity Provider"
},
{
"acknowledgments": [
{
"names": [
"Reynaldo Immanuel",
"Joy Gilbert"
]
}
],
"cve": "CVE-2026-2733",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"discovery_date": "2026-02-19T07:14:36.991000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440895"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client \u201cEnabled\u201d setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: Keycloak: Missing Check on Disabled Client for Docker Registry Protocol",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The security impact of this vulnerability is rated as Low because successful exploitation requires valid user credentials and knowledge of the Docker client ID. While the issue does not allow privilege escalation beyond the authenticated user\u2019s permissions, it undermines an important administrative control. By continuing to issue tokens for a disabled client, the system fails to properly enforce authorization state, potentially resulting in unintended access to protected container images.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.10"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2733"
},
{
"category": "external",
"summary": "RHBZ#2440895",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440895"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2733",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2733"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2733",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2733"
}
],
"release_date": "2026-02-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:07:56+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3947"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.keycloak/keycloak-services: Keycloak: Missing Check on Disabled Client for Docker Registry Protocol"
},
{
"cve": "CVE-2026-3009",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2026-02-23T04:55:39.695000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2441867"
}
],
"notes": [
{
"category": "description",
"text": "A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: Improper Enforcement of Disabled Identity Provider in IdentityBrokerService (Authentication Bypass)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The security impact of this vulnerability is considered High because it allows bypassing an explicit administrative security control. Even though user interaction is required, an attacker can authenticate using an Identity Provider that administrators intentionally disabled. This weakens identity governance controls and may result in unauthorized access depending on the trust level of the external IdP. The root cause is insufficient authorization validation during broker login processing.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.10"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3009"
},
{
"category": "external",
"summary": "RHBZ#2441867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441867"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3009",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3009"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3009",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3009"
}
],
"release_date": "2026-03-05T11:23:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:07:56+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3947"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak/keycloak-services: Improper Enforcement of Disabled Identity Provider in IdentityBrokerService (Authentication Bypass)"
},
{
"cve": "CVE-2026-3047",
"cwe": {
"id": "CWE-305",
"name": "Authentication Bypass by Primary Weakness"
},
"discovery_date": "2026-02-23T17:29:50.192000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2441966"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.broker.saml: Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "CRITICAL: This flaw allows a disabled SAML client in Keycloak, when configured as an IdP-initiated broker landing target, to still facilitate a successful login. This bypasses the intended security control, granting an authenticated user access to other enabled clients without re-authentication. This issue affects Keycloak instances where a disabled SAML client is configured for IdP-initiated brokering and the user exists in the external Identity Provider.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.10"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3047"
},
{
"category": "external",
"summary": "RHBZ#2441966",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441966"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3047",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3047"
}
],
"release_date": "2026-03-05T11:24:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:07:56+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3947"
},
{
"category": "workaround",
"details": "To mitigate this issue, ensure that any SAML client intended to be disabled is not configured as an IdP-initiated broker landing target within Keycloak. Review your Keycloak realm configurations to identify and remove any such associations for disabled clients.",
"product_ids": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.10"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak.broker.saml: Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login"
}
]
}
RHSA-2026:3948
Vulnerability from csaf_redhat - Published: 2026-03-05 19:09 - Updated: 2026-03-24 11:30Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.4.10 Images Update
Severity
Important
Notes
Topic: New images are available for Red Hat build of Keycloak 26.4.10 and Red Hat build of Keycloak 26.4.10 Operator, running on OpenShift Container Platform
Details: Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.
Red Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.4.10 clusters.
This erratum releases new images for Red Hat build of Keycloak 26.4.10 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.
Security fixes:
* Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login (CVE-2026-3047)
* Improper Enforcement of Disabled Identity Provider in IdentityBrokerService (Authentication Bypass) (CVE-2026-3009)
* Unauthorized authentication via disabled SAML Identity Provider (CVE-2026-2603)
* Unauthorized access via improper validation of encrypted SAML assertions (CVE-2026-2092)
* Missing Check on Disabled Client for Docker Registry Protocol (CVE-2026-2733)
* Denial of Service due to excessive SAMLRequest decompression (CVE-2026-2575)
* Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData (CVE-2026-1190)
* Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass (CVE-2026-0707)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.
5.3 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3948
Workaround
To mitigate this issue, configure any front-end security controls, such as Web Application Firewalls (WAFs) or reverse proxies, to strictly validate and normalize the `Authorization` header before forwarding requests to Keycloak. This ensures that only standard Bearer token formats are processed, preventing potential bypasses.
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.
CWE-112 - Missing XML Validation
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3948
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.
7.7 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3948
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.
5.3 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3948
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.
8.1 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3948
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.
CWE-285 - Improper Authorization
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3948
Workaround
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
8.1 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3948
Workaround
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.
8.8 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:3948
Workaround
To mitigate this issue, ensure that any SAML client intended to be disabled is not configured as an IdP-initiated broker landing target within Keycloak. Review your Keycloak realm configurations to identify and remove any such associations for disabled clients.
References
| URL | Category | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Acknowledgments
Guanping Zhang
Bettag Systems
Franz Bettag
Oleh Konko
GMO Cybersecurity by Ierae, Inc.
Sho Odagiri
Reynaldo Immanuel
Joy Gilbert
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New images are available for Red Hat build of Keycloak 26.4.10 and Red Hat build of Keycloak 26.4.10 Operator, running on OpenShift Container Platform",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\nRed Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.4.10 clusters.\nThis erratum releases new images for Red Hat build of Keycloak 26.4.10 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity fixes:\n* Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login (CVE-2026-3047)\n* Improper Enforcement of Disabled Identity Provider in IdentityBrokerService (Authentication Bypass) (CVE-2026-3009)\n* Unauthorized authentication via disabled SAML Identity Provider (CVE-2026-2603)\n* Unauthorized access via improper validation of encrypted SAML assertions (CVE-2026-2092)\n* Missing Check on Disabled Client for Docker Registry Protocol (CVE-2026-2733)\n* Denial of Service due to excessive SAMLRequest decompression (CVE-2026-2575)\n* Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData (CVE-2026-1190)\n* Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass (CVE-2026-0707)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:3948",
"url": "https://access.redhat.com/errata/RHSA-2026:3948"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3948.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.4.10 Images Update",
"tracking": {
"current_release_date": "2026-03-24T11:30:12+00:00",
"generator": {
"date": "2026-03-24T11:30:12+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2026:3948",
"initial_release_date": "2026-03-05T19:09:49+00:00",
"revision_history": [
{
"date": "2026-03-05T19:09:49+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-05T19:09:49+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-24T11:30:12+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.4",
"product": {
"name": "Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"product_id": "rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-12"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"product": {
"name": "rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"product_id": "rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-operator-bundle\u0026tag=26.4.10-1"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-12"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x",
"product_id": "rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-12"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-12"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"product_id": "rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-12"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-12"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"product_id": "rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-12"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-12"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64"
},
"product_reference": "rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x",
"relates_to_product_reference": "9Base-RHBK-26.4"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Guanping Zhang"
]
}
],
"cve": "CVE-2026-0707",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-01-08T02:51:20.440000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2427768"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the \"Bearer\" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Moderate for Red Hat because Keycloak\u0027s excessive tolerance for non-standard Bearer token formats in the Authorization header can lead to inconsistencies with front-end security controls such as WAFs and proxies. This may enable potential bypass risks, allowing malformed tokens to circumvent intended security policies.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-0707"
},
{
"category": "external",
"summary": "RHBZ#2427768",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427768"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-0707",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0707"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-0707",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0707"
}
],
"release_date": "2026-01-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:09:49+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3948"
},
{
"category": "workaround",
"details": "To mitigate this issue, configure any front-end security controls, such as Web Application Firewalls (WAFs) or reverse proxies, to strictly validate and normalize the `Authorization` header before forwarding requests to Keycloak. This ensures that only standard Bearer token formats are processed, preventing potential bypasses.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass"
},
{
"acknowledgments": [
{
"names": [
"Franz Bettag"
],
"organization": "Bettag Systems"
}
],
"cve": "CVE-2026-1190",
"cwe": {
"id": "CWE-112",
"name": "Missing XML Validation"
},
"discovery_date": "2026-01-19T13:38:52.676000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430835"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Low for Red Hat products. In the Red Hat context, this flaw in Keycloak\u0027s SAML brokering functionality allows an attacker to delay the expiration of SAML responses by not validating the `NotOnOrAfter` timestamp in `SubjectConfirmationData`. This could lead to unexpected session durations or increased resource consumption.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-1190"
},
{
"category": "external",
"summary": "RHBZ#2430835",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430835"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-1190",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1190"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1190",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1190"
}
],
"release_date": "2026-01-19T08:08:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:09:49+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3948"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.keycloak/keycloak-services: Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData"
},
{
"acknowledgments": [
{
"names": [
"Oleh Konko"
]
}
],
"cve": "CVE-2026-2092",
"cwe": {
"id": "CWE-1287",
"name": "Improper Validation of Specified Type of Input"
},
"discovery_date": "2026-02-06T10:25:16.675000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437296"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Keycloak\u0027s Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak-services: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The issue is rated as important severity. A flaw in Red Hat Build of Keycloak\u0027s SAML broker endpoint allows unauthorized access. When the overall SAML response is not signed, an attacker with a valid signed SAML assertion can craft a malicious response to inject an encrypted assertion for an arbitrary principal. This leads to unauthorized access and potential information disclosure.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2092"
},
{
"category": "external",
"summary": "RHBZ#2437296",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437296"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2092",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2092"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2092",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2092"
}
],
"release_date": "2026-03-05T12:34:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:09:49+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3948"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak-services: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions"
},
{
"acknowledgments": [
{
"names": [
"Sho Odagiri"
],
"organization": "GMO Cybersecurity by Ierae, Inc."
}
],
"cve": "CVE-2026-2575",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2026-02-16T08:36:10.890000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440149"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service due to excessive SAMLRequest decompression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This MODERATE impact denial of service flaw affects Red Hat Build of Keycloak (RHBK). An unauthenticated remote attacker can exploit this by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server\u0027s inability to enforce size limits during DEFLATE decompression leads to an OutOfMemoryError, causing process termination and disrupting service availability. This vulnerability is applicable when Keycloak is configured to use SAML Redirect Binding.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2575"
},
{
"category": "external",
"summary": "RHBZ#2440149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440149"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2575",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2575"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2575",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2575"
}
],
"release_date": "2026-02-16T08:08:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:09:49+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3948"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Denial of Service due to excessive SAMLRequest decompression"
},
{
"acknowledgments": [
{
"names": [
"Reynaldo Immanuel",
"Joy Gilbert"
]
}
],
"cve": "CVE-2026-2603",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2026-02-16T21:15:53.373000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440300"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Unauthorized authentication via disabled SAML Identity Provider",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This important flaw in Red Hat Build of Keycloak allows a remote attacker to bypass security controls. A disabled SAML Identity Provider can still be exploited for unauthorized authentication via IdP-initiated broker logins if the SAML protocol endpoint is reachable and the attacker knows the broker URL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2603"
},
{
"category": "external",
"summary": "RHBZ#2440300",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440300"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2603",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2603"
}
],
"release_date": "2026-03-05T11:23:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:09:49+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3948"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Unauthorized authentication via disabled SAML Identity Provider"
},
{
"acknowledgments": [
{
"names": [
"Reynaldo Immanuel",
"Joy Gilbert"
]
}
],
"cve": "CVE-2026-2733",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"discovery_date": "2026-02-19T07:14:36.991000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440895"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client \u201cEnabled\u201d setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: Keycloak: Missing Check on Disabled Client for Docker Registry Protocol",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The security impact of this vulnerability is rated as Low because successful exploitation requires valid user credentials and knowledge of the Docker client ID. While the issue does not allow privilege escalation beyond the authenticated user\u2019s permissions, it undermines an important administrative control. By continuing to issue tokens for a disabled client, the system fails to properly enforce authorization state, potentially resulting in unintended access to protected container images.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2733"
},
{
"category": "external",
"summary": "RHBZ#2440895",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440895"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2733",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2733"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2733",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2733"
}
],
"release_date": "2026-02-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:09:49+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3948"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.keycloak/keycloak-services: Keycloak: Missing Check on Disabled Client for Docker Registry Protocol"
},
{
"cve": "CVE-2026-3009",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2026-02-23T04:55:39.695000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2441867"
}
],
"notes": [
{
"category": "description",
"text": "A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: Improper Enforcement of Disabled Identity Provider in IdentityBrokerService (Authentication Bypass)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The security impact of this vulnerability is considered High because it allows bypassing an explicit administrative security control. Even though user interaction is required, an attacker can authenticate using an Identity Provider that administrators intentionally disabled. This weakens identity governance controls and may result in unauthorized access depending on the trust level of the external IdP. The root cause is insufficient authorization validation during broker login processing.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3009"
},
{
"category": "external",
"summary": "RHBZ#2441867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441867"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3009",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3009"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3009",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3009"
}
],
"release_date": "2026-03-05T11:23:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:09:49+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3948"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak/keycloak-services: Improper Enforcement of Disabled Identity Provider in IdentityBrokerService (Authentication Bypass)"
},
{
"cve": "CVE-2026-3047",
"cwe": {
"id": "CWE-305",
"name": "Authentication Bypass by Primary Weakness"
},
"discovery_date": "2026-02-23T17:29:50.192000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2441966"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.broker.saml: Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "CRITICAL: This flaw allows a disabled SAML client in Keycloak, when configured as an IdP-initiated broker landing target, to still facilitate a successful login. This bypasses the intended security control, granting an authenticated user access to other enabled clients without re-authentication. This issue affects Keycloak instances where a disabled SAML client is configured for IdP-initiated brokering and the user exists in the external Identity Provider.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3047"
},
{
"category": "external",
"summary": "RHBZ#2441966",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441966"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3047",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3047"
}
],
"release_date": "2026-03-05T11:24:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T19:09:49+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3948"
},
{
"category": "workaround",
"details": "To mitigate this issue, ensure that any SAML client intended to be disabled is not configured as an IdP-initiated broker landing target within Keycloak. Review your Keycloak realm configurations to identify and remove any such associations for disabled clients.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:ae13f29ccde0ddf5d96d14567177fcdfa2dd12cb29ca7793b47c857436d2a3e8_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2ff84fdf2ccf5ef7fb360d0b33b7369ae948b7eba84926320431adb1da23d9a7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:adc45a57c1cc6f816e6c0074cd9aeba6c6b323a0c708d5d11678bb49af578a6a_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:cbb01b2cdd4857eddc5c94a1382c11901883d0df6176593a099d01791f6b72bf_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:edeb162dfffdcaf118c3fa7b951a563de58a88b4604764c8651396056e6ba814_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:48fa03e7e881b996085a2207878c6ab610fa770fbedf41f195d270aefb8bf9f7_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:73cf1a2410318ef2e508c21dc5c3332d3f3658eaab7d9b0e4dadfb570c002899_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:884c31d8ddfd03349a65bc76851cdf83d7cf8db0983e9e8c52a648298cd8c7eb_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:b0efe038b71e19b53e41ccede51fefcd03d81e2aafd6fa0b23b5b9c8dac212fd_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak.broker.saml: Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login"
}
]
}
GHSA-FJF4-6F34-W64Q
Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-03-06 00:31
VLAI?
Summary
Keycloak: Missing Check on Disabled Client for Docker Registry Protocol
Details
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "26.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2733"
],
"database_specific": {
"cwe_ids": [
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-19T22:06:37Z",
"nvd_published_at": "2026-02-19T08:16:17Z",
"severity": "LOW"
},
"details": "A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client \u201cEnabled\u201d setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.",
"id": "GHSA-fjf4-6f34-w64q",
"modified": "2026-03-06T00:31:28Z",
"published": "2026-02-19T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2733"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/46462"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/743ac24081b2c6da36aac3775147ec5b80c2861e"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3947"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3948"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-2733"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440895"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak: Missing Check on Disabled Client for Docker Registry Protocol"
}
FKIE_CVE-2026-2733
Vulnerability from fkie_nvd - Published: 2026-02-19 08:16 - Updated: 2026-03-05 22:16
Severity ?
Summary
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client \u201cEnabled\u201d setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources."
},
{
"lang": "es",
"value": "Se identific\u00f3 una vulnerabilidad en el endpoint de autenticaci\u00f3n Docker v2 de Keycloak, donde los tokens contin\u00faan siendo emitidos incluso despu\u00e9s de que un cliente de registro Docker haya sido deshabilitado administrativamente. Esto significa que al cambiar la configuraci\u00f3n \u0027Enabled\u0027 del cliente a OFF no se impide completamente el acceso. Como resultado, las credenciales previamente v\u00e1lidas a\u00fan pueden ser utilizadas para obtener tokens de autenticaci\u00f3n. Esto debilita los controles administrativos y podr\u00eda permitir un acceso no intencionado a los recursos del registro de contenedores."
}
],
"id": "CVE-2026-2733",
"lastModified": "2026-03-05T22:16:25.207",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
},
"published": "2026-02-19T08:16:17.980",
"references": [
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:3947"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:3948"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/security/cve/CVE-2026-2733"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440895"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…