Primary

Context

Keycloak Denial-of-Service Vulnerability via Crafted SAML XML Input

Vulnerability

A denial-of-service vulnerability has been identified in Keycloak. It allows remote, unauthenticated attackers to send specially crafted XML to the SAML endpoint. This malicious input can lead to high CPU usage and exhaustion of worker threads, causing the Keycloak server to become unavailable. The vulnerability affects all Keycloak versions on Linux.

Impact

Exploitation of this vulnerability leads to a significant denial-of-service condition, causing the Keycloak server to become unavailable. This issue directly impacts Keycloak instances with the SAML protocol enabled.

Remediation

To mitigate this vulnerability, restrict network access to the Keycloak SAML endpoint from untrusted sources. Implement firewall rules to limit inbound connections to the Keycloak service port from untrusted networks. If SAML is not needed, consider disabling it to reduce the attack surface. These changes may require a restart or reload of the Keycloak service.

Added: May 19, 2026, 12:22 PM

Updated: May 19, 2026, 12:22 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

8.3

remediation

1.4

relevance

8.8

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

8.3

remediation

1.4

relevance

8.8

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Keycloak Denial-of-Service Vulnerability via Crafted SAML XML Input

Vulnerability

Impact

Remediation

Affected Products

Keycloak

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating