Red Hat build of Keycloak
Moderate fix2 remedies
cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*
Moderate fix2 remedies
- >= 26.2, < 26.2.14
- >= 26.4, < 26.4.10
Keycloak SAML Broker Endpoint Encrypted Assertion Validation Vulnerability
Vulnerability
Patched
A vulnerability exists in Keycloak's SAML broker endpoint, specifically in the Red Hat build of Keycloak. The issue arises because the endpoint fails to properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this flaw by crafting a malicious SAML response that injects an encrypted assertion for an arbitrary principal. This exploitation could lead to unauthorized access and potential information disclosure.
Impact
Exploitation of this vulnerability allows for unauthorized access by injecting encrypted assertions for arbitrary principals, bypassing normal authentication controls. This could also result in unauthorized information access.
Reproduction
To reproduce this vulnerability, an attacker must first obtain a valid signed SAML assertion. The attacker can then craft a SAML response by removing the signature from the response (if present) and encrypting a new assertion using the public key of the target realm. This crafted response is then sent to Keycloak, which, due to the improper validation, will accept the injected encrypted assertion as legitimate.
Remediation
Users can upgrade to the Red Hat build of Keycloak 26.2.14 or 26.4.10, both of which include the necessary fix for this vulnerability.
Added: Mar 18, 2026, 2:20 AM
Updated: Mar 18, 2026, 2:20 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
5.0exploitability
6.8remediation
7.7relevance
4.1threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.