CVE-2026-2603

EPSS 0.19%
Veröffentlicht 18.03.2026 01:14:53
Zuletzt bearbeitet 18.03.2026 15:16:30
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Keycloak: keycloak: unauthorized authentication via disabled saml identity provider

A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

CNA 8 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2.14-1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2-16

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2-16

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2.14

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4

Default Statusaffected

Version 26.4.10-1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4

Default Statusaffected

Version 26.4-12

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4

Default Statusaffected

Version 26.4-12

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4.10

Default Statusunaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.19%	0.408

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://access.redhat.com/errata/RHSA-2026:3947

https://access.redhat.com/errata/RHSA-2026:3948

https://access.redhat.com/errata/RHSA-2026:3925

https://access.redhat.com/errata/RHSA-2026:3926

https://access.redhat.com/security/cve/CVE-2026-2603

https://bugzilla.redhat.com/show_bug.cgi?id=2440300

https://nvd.nist.gov/vuln/detail/CVE-2026-2603

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-2603

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-2603

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-2603