Keycloak Information Disclosure Vulnerability via SAML ECP Endpoint

Vulnerability

An information disclosure vulnerability exists in Keycloak. A remote, unauthenticated attacker can exploit this flaw by sending specially crafted SOAP requests to the SAML ECP (Enhanced Client or Proxy) endpoint, using different client IDs. By analyzing the distinct faultstrings in the responses, the attacker can infer the client's protocol type, leading to unauthorized information disclosure.

Impact

Exploitation of this vulnerability allows for unauthorized enumeration of client protocol types, which could facilitate further targeted attacks.

Added: May 28, 2026, 5:54 AM

Updated: May 28, 2026, 5:54 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

8.3

remediation

0.0

relevance

9.6

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

8.3

remediation

0.0

relevance

9.6

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Keycloak Information Disclosure Vulnerability via SAML ECP Endpoint

Vulnerability

Impact

Affected Products

Keycloak

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating