8.1
CVE-2026-2603
- EPSS 0.41%
- Veröffentlicht 18.03.2026 01:14:53
- Zuletzt bearbeitet 30.06.2026 03:18:14
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Keycloak: keycloak: unauthorized authentication via disabled saml identity provider
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.2
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.4
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.2.14
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Keycloak 26.4.10
Default Statusaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.41% | 0.331 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
|
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
https://access.redhat.com/errata/RHSA-2026:3947
https://access.redhat.com/errata/RHSA-2026:3948
https://access.redhat.com/errata/RHSA-2026:3925
https://access.redhat.com/errata/RHSA-2026:3926
https://access.redhat.com/security/cve/CVE-2026-2603
https://bugzilla.redhat.com/show_bug.cgi?id=2440300
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2603.json