Platform
java
Component
org.keycloak:keycloak-broker-saml
Fixed in
*
*
*
*
*
*
1.8.2
CVE-2026-3047 is an Authentication Bypass vulnerability affecting the org.keycloak.broker.saml component within Keycloak. This flaw allows a remote attacker to bypass security restrictions and gain unauthorized access to other enabled clients within Keycloak without re-authentication. The vulnerability impacts versions of Keycloak Broker SAML up to and including 1.8.1.Final, and a fix is available in Keycloak 26.5.5 and later.
The impact of CVE-2026-3047 is significant, as it enables unauthorized access to Keycloak clients. An attacker can exploit this vulnerability by configuring a disabled SAML client as an IdP-initiated broker landing target. By successfully completing the login process through this disabled client, the attacker can establish an SSO session and gain access to other enabled clients within the Keycloak realm, effectively bypassing authentication. This could lead to data breaches, privilege escalation, and potential compromise of the entire Keycloak instance, depending on the permissions granted to the affected clients. The ability to bypass authentication without re-authentication significantly lowers the barrier to entry for attackers.
CVE-2026-3047 was publicly disclosed on March 5, 2026. The vulnerability's impact is considered high due to the potential for unauthorized access and privilege escalation. No public proof-of-concept (PoC) code has been released as of the disclosure date, but the vulnerability's nature suggests a relatively straightforward exploitation path. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.43% (62% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3047 is to upgrade Keycloak to version 26.5.5 or later, which contains the fix. If an immediate upgrade is not feasible, consider disabling IdP-initiated SSO for disabled SAML clients as a temporary workaround. Review your Keycloak configuration to ensure that disabled clients are not inadvertently used as broker landing targets. Monitor Keycloak logs for any unusual login activity or attempts to access disabled clients. After upgrading, confirm the fix by attempting to initiate an SSO session through a previously disabled SAML client and verifying that access is denied.
Update Red Hat build of Keycloak to the latest available version that includes the security fixes. Refer to Red Hat security advisories (RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947) for more details and specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3047 is a HIGH severity vulnerability in Keycloak Broker SAML allowing attackers to bypass authentication and gain unauthorized access to enabled clients.
You are affected if you are using Keycloak Broker SAML versions 1.8.1.Final or earlier.
Upgrade Keycloak to version 26.5.5 or later. As a temporary workaround, disable IdP-initiated SSO for disabled SAML clients.
No active exploitation has been confirmed as of the disclosure date, but the vulnerability's nature suggests a relatively straightforward exploitation path.
Refer to the Keycloak release notes for version 26.5.5: https://github.com/keycloak/keycloak/releases/tag/26.5.5
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.