CVE-2026-2603 PUBLISHED

Keycloak: keycloak: unauthorized authentication via disabled saml identity provider

Assigner: redhat
Reserved: 16.02.2026 Published: 18.03.2026 Updated: 18.03.2026

A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 8.1

Product Status

Vendor Red Hat
Product Red Hat build of Keycloak 26.2
Versions Default: affected
  • unaffected from 26.2.14-1 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.2
Versions Default: affected
  • unaffected from 26.2-16 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.2
Versions Default: affected
  • unaffected from 26.2-16 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.2.14
Versions Default: unaffected
Vendor Red Hat
Product Red Hat build of Keycloak 26.4
Versions Default: affected
  • unaffected from 26.4.10-1 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.4
Versions Default: affected
  • unaffected from 26.4-12 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.4
Versions Default: affected
  • unaffected from 26.4-12 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.4.10
Versions Default: unaffected

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Credits

  • Red Hat would like to thank Joy Gilbert and Reynaldo Immanuel for reporting this issue.

References

Problem Types

  • Missing Authentication for Critical Function CWE