FKIE_CVE-2026-3047

Vulnerability from fkie_nvd - Published: 2026-03-05 19:16 - Updated: 2026-03-26 14:20
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2026:3925Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2026:3926Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2026:3947Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2026:3948Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2026-3047Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2441966Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat build_of_keycloak -
redhat build_of_keycloak 26.2
redhat build_of_keycloak 26.2.14
redhat build_of_keycloak 26.4
redhat build_of_keycloak 26.4.10
redhat keycloak -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "1830E455-7E11-4264-862D-05971A42D4A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "DBB531B3-5BD6-41B4-882C-A42F611819B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.2.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "56732D81-7096-40F3-A990-1C84E2D984F2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "3C8F3485-92CB-4F23-A35A-AAA444FDF39E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "C8A55A00-BD52-4198-B43A-62919C272AA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6E0DE4E1-5D8D-40F3-8AC8-C7F736966158",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una vulnerabilidad en org.keycloak.broker.saml. Cuando un cliente de Security Assertion Markup Language (SAML) deshabilitado se configura como un objetivo de aterrizaje de intermediario iniciado por un Proveedor de Identidad (IdP), a\u00fan puede completar el proceso de inicio de sesi\u00f3n y establecer una sesi\u00f3n de Single Sign-On (SSO). Esto permite a un atacante remoto obtener acceso no autorizado a otros clientes habilitados sin re-autenticaci\u00f3n, eludiendo eficazmente las restricciones de seguridad."
    }
  ],
  "id": "CVE-2026-3047",
  "lastModified": "2026-03-26T14:20:02.470",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-05T19:16:18.383",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2026:3925"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2026:3926"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2026:3947"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2026:3948"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2026-3047"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441966"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-305"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.