CVE-2026-2603
Severity CVSS v4.0:
Pending analysis
Type:
CWE-306
Missing Authentication for Critical Function
Publication date:
18/03/2026
Last modified:
18/03/2026
Description
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.
Impact
Base Score 3.x
8.10
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://access.redhat.com/errata/RHSA-2026:3925
- https://access.redhat.com/errata/RHSA-2026:3926
- https://access.redhat.com/errata/RHSA-2026:3947
- https://access.redhat.com/errata/RHSA-2026:3948
- https://access.redhat.com/security/cve/CVE-2026-2603
- https://bugzilla.redhat.com/show_bug.cgi?id=2440300
- https://bugzilla.redhat.com/show_bug.cgi?id=2440300