FKIE_CVE-2026-2603

Vulnerability from fkie_nvd - Published: 2026-03-18 02:16 - Updated: 2026-03-18 15:16
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2026:3925
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2026:3926
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2026:3947
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2026:3948
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2026-2603
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2440300
134c704f-9b21-4f2e-91b3-4a467353bcc0https://bugzilla.redhat.com/show_bug.cgi?id=2440300
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una vulnerabilidad en Keycloak. Un atacante remoto podr\u00eda eludir los controles de seguridad al enviar una respuesta SAML v\u00e1lida desde un Proveedor de Identidad (IdP) externo al punto final SAML de Keycloak para inicios de sesi\u00f3n de intermediario iniciados por el IdP. Esto permite al atacante completar inicios de sesi\u00f3n de intermediario incluso cuando el Proveedor de Identidad SAML est\u00e1 deshabilitado, lo que lleva a una autenticaci\u00f3n no autorizada."
    }
  ],
  "id": "CVE-2026-2603",
  "lastModified": "2026-03-18T15:16:30.500",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-18T02:16:24.813",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2026:3925"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2026:3926"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2026:3947"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2026:3948"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/security/cve/CVE-2026-2603"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440300"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440300"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.