プラットフォーム
java
コンポーネント
org.keycloak:keycloak-broker-saml
修正版
*
*
*
*
*
*
1.8.2
CVE-2026-3047 is an Authentication Bypass vulnerability affecting the org.keycloak.broker.saml component within Keycloak. This flaw allows a remote attacker to bypass security restrictions and gain unauthorized access to other enabled clients within Keycloak without re-authentication. The vulnerability impacts versions of Keycloak Broker SAML up to and including 1.8.1.Final, and a fix is available in Keycloak 26.5.5 and later.
The impact of CVE-2026-3047 is significant, as it enables unauthorized access to Keycloak clients. An attacker can exploit this vulnerability by configuring a disabled SAML client as an IdP-initiated broker landing target. By successfully completing the login process through this disabled client, the attacker can establish an SSO session and gain access to other enabled clients within the Keycloak realm, effectively bypassing authentication. This could lead to data breaches, privilege escalation, and potential compromise of the entire Keycloak instance, depending on the permissions granted to the affected clients. The ability to bypass authentication without re-authentication significantly lowers the barrier to entry for attackers.
CVE-2026-3047 was publicly disclosed on March 5, 2026. The vulnerability's impact is considered high due to the potential for unauthorized access and privilege escalation. No public proof-of-concept (PoC) code has been released as of the disclosure date, but the vulnerability's nature suggests a relatively straightforward exploitation path. It is not currently listed on the CISA KEV catalog.
Organizations using Keycloak as an identity provider and relying on SAML-based authentication are at risk. Specifically, deployments with disabled SAML clients configured as IdP-initiated broker landing targets are particularly vulnerable. Shared hosting environments where multiple Keycloak instances share resources could also be affected if proper isolation measures are not in place.
• java / server:
# Check Keycloak version
java -jar keycloak.jar --version• java / server:
# Review Keycloak logs for unusual login attempts or access to disabled SAML clients
grep -i 'disabled saml client' /path/to/keycloak/logs/keycloak.log• java / server:
# Inspect Keycloak configuration for IdP-initiated SSO enabled on disabled clients
# (Requires access to Keycloak admin console or configuration files)disclosure
エクスプロイト状況
EPSS
0.43% (62% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-3047 is to upgrade Keycloak to version 26.5.5 or later, which contains the fix. If an immediate upgrade is not feasible, consider disabling IdP-initiated SSO for disabled SAML clients as a temporary workaround. Review your Keycloak configuration to ensure that disabled clients are not inadvertently used as broker landing targets. Monitor Keycloak logs for any unusual login activity or attempts to access disabled clients. After upgrading, confirm the fix by attempting to initiate an SSO session through a previously disabled SAML client and verifying that access is denied.
Actualice Red Hat build of Keycloak a la última versión disponible que incluya las correcciones de seguridad. Consulte los avisos de seguridad de Red Hat (RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947) para obtener más detalles e instrucciones específicas de actualización.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3047 is a HIGH severity vulnerability in Keycloak Broker SAML allowing attackers to bypass authentication and gain unauthorized access to enabled clients.
You are affected if you are using Keycloak Broker SAML versions 1.8.1.Final or earlier.
Upgrade Keycloak to version 26.5.5 or later. As a temporary workaround, disable IdP-initiated SSO for disabled SAML clients.
No active exploitation has been confirmed as of the disclosure date, but the vulnerability's nature suggests a relatively straightforward exploitation path.
Refer to the Keycloak release notes for version 26.5.5: https://github.com/keycloak/keycloak/releases/tag/26.5.5
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
pom.xml ファイルをアップロードすると、影響の有無を即座にお知らせします。