Plattform
java
Komponente
org.keycloak:keycloak-broker-saml
Behoben in
*
*
*
*
*
*
1.8.2
CVE-2026-3047 is an Authentication Bypass vulnerability affecting the org.keycloak.broker.saml component within Keycloak. This flaw allows a remote attacker to bypass security restrictions and gain unauthorized access to other enabled clients within Keycloak without re-authentication. The vulnerability impacts versions of Keycloak Broker SAML up to and including 1.8.1.Final, and a fix is available in Keycloak 26.5.5 and later.
The impact of CVE-2026-3047 is significant, as it enables unauthorized access to Keycloak clients. An attacker can exploit this vulnerability by configuring a disabled SAML client as an IdP-initiated broker landing target. By successfully completing the login process through this disabled client, the attacker can establish an SSO session and gain access to other enabled clients within the Keycloak realm, effectively bypassing authentication. This could lead to data breaches, privilege escalation, and potential compromise of the entire Keycloak instance, depending on the permissions granted to the affected clients. The ability to bypass authentication without re-authentication significantly lowers the barrier to entry for attackers.
CVE-2026-3047 was publicly disclosed on March 5, 2026. The vulnerability's impact is considered high due to the potential for unauthorized access and privilege escalation. No public proof-of-concept (PoC) code has been released as of the disclosure date, but the vulnerability's nature suggests a relatively straightforward exploitation path. It is not currently listed on the CISA KEV catalog.
Organizations using Keycloak as an identity provider and relying on SAML-based authentication are at risk. Specifically, deployments with disabled SAML clients configured as IdP-initiated broker landing targets are particularly vulnerable. Shared hosting environments where multiple Keycloak instances share resources could also be affected if proper isolation measures are not in place.
• java / server:
# Check Keycloak version
java -jar keycloak.jar --version• java / server:
# Review Keycloak logs for unusual login attempts or access to disabled SAML clients
grep -i 'disabled saml client' /path/to/keycloak/logs/keycloak.log• java / server:
# Inspect Keycloak configuration for IdP-initiated SSO enabled on disabled clients
# (Requires access to Keycloak admin console or configuration files)disclosure
Exploit-Status
EPSS
0.43% (62% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-3047 is to upgrade Keycloak to version 26.5.5 or later, which contains the fix. If an immediate upgrade is not feasible, consider disabling IdP-initiated SSO for disabled SAML clients as a temporary workaround. Review your Keycloak configuration to ensure that disabled clients are not inadvertently used as broker landing targets. Monitor Keycloak logs for any unusual login activity or attempts to access disabled clients. After upgrading, confirm the fix by attempting to initiate an SSO session through a previously disabled SAML client and verifying that access is denied.
Actualice Red Hat build of Keycloak a la última versión disponible que incluya las correcciones de seguridad. Consulte los avisos de seguridad de Red Hat (RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947) para obtener más detalles e instrucciones específicas de actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-3047 is a HIGH severity vulnerability in Keycloak Broker SAML allowing attackers to bypass authentication and gain unauthorized access to enabled clients.
You are affected if you are using Keycloak Broker SAML versions 1.8.1.Final or earlier.
Upgrade Keycloak to version 26.5.5 or later. As a temporary workaround, disable IdP-initiated SSO for disabled SAML clients.
No active exploitation has been confirmed as of the disclosure date, but the vulnerability's nature suggests a relatively straightforward exploitation path.
Refer to the Keycloak release notes for version 26.5.5: https://github.com/keycloak/keycloak/releases/tag/26.5.5
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.