CVE-2026-3047 PUBLISHED

Org.keycloak.broker.saml: keycloak saml broker: authentication bypass due to disabled saml client completing idp-initiated login

Assigner: redhat
Reserved: 23.02.2026 Published: 05.03.2026 Updated: 06.03.2026

A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Product Status

Vendor Red Hat
Product Red Hat build of Keycloak 26.2
Versions Default: affected
  • unaffected from 26.2.14-1 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.2
Versions Default: affected
  • unaffected from 26.2-16 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.2
Versions Default: affected
  • unaffected from 26.2-16 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.2.14
Versions Default: unaffected
Vendor Red Hat
Product Red Hat build of Keycloak 26.4
Versions Default: affected
  • unaffected from 26.4.10-1 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.4
Versions Default: affected
  • unaffected from 26.4-12 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.4
Versions Default: affected
  • unaffected from 26.4-12 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.4.10
Versions Default: unaffected

Workarounds

To mitigate this issue, ensure that any SAML client intended to be disabled is not configured as an IdP-initiated broker landing target within Keycloak. Review your Keycloak realm configurations to identify and remove any such associations for disabled clients.

References

Problem Types

  • Authentication Bypass by Primary Weakness CWE