Platform
java
Component
keycloak
Opgelost in
*
CVE-2026-3009 describes an authentication bypass vulnerability in Keycloak's IdentityBrokerService.performLogin endpoint. This flaw allows attackers to authenticate through disabled Identity Providers (IdPs) by reusing previously generated login requests, effectively circumventing administrative access controls. The vulnerability affects Keycloak versions 26.4 and later. A fix is available, requiring an upgrade to a patched version.
The primary impact of CVE-2026-3009 is unauthorized access to Keycloak-protected resources. An attacker who knows the alias of a previously configured Identity Provider (even if disabled) can leverage a cached or replayed login request to authenticate as if the IdP were still active. This bypasses the intended security controls and allows the attacker to gain access to applications and services relying on Keycloak for authentication. The blast radius extends to any application or service integrated with Keycloak and relying on the IdP for authentication, potentially exposing sensitive data and enabling further lateral movement within the environment. This vulnerability shares similarities with other authentication bypass flaws where cached credentials or replay attacks can circumvent access controls.
CVE-2026-3009 was publicly disclosed on 2026-03-05. Its EPSS score is currently pending evaluation. There are no known public proof-of-concept exploits available at this time, but the vulnerability's nature suggests a relatively low barrier to exploitation once a suitable attack vector is identified. The vulnerability is listed on the NVD and CISA advisories.
Organizations heavily reliant on Keycloak for single sign-on (SSO) and federated identity management are at significant risk. Environments with numerous Identity Providers, particularly those that are frequently enabled and disabled, are especially vulnerable. Shared hosting environments utilizing Keycloak should also be prioritized for patching.
• java / server:
# Check Keycloak version
java -jar keycloak.jar --version• java / server:
# Monitor Keycloak logs for suspicious login attempts involving disabled IdPs
grep -i 'disabled identity provider' /path/to/keycloak/logs/keycloak.log• generic web:
# Check for exposed IdentityBrokerService endpoint
curl -I https://keycloak.example.com/auth/realms/master/broker/identityprovider/idp-alias/endpointdisclosure
Exploit Status
EPSS
0.03% (8% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-3009 is to upgrade Keycloak to a version containing the fix. Until the upgrade can be performed, consider temporarily disabling the IdentityBrokerService or restricting access to the performLogin endpoint. Implementing stricter rate limiting on the performLogin endpoint can also help mitigate the risk of replay attacks. Review Keycloak's audit logs for suspicious login attempts, particularly those involving disabled IdPs. After upgrading, confirm the fix by attempting to authenticate through a disabled IdP using a previously generated login request – it should fail.
Actualice a una versión de Keycloak que haya solucionado esta vulnerabilidad. Consulte los avisos de seguridad de Red Hat (RHSA-2026:3947, RHSA-2026:3948) para obtener más detalles y las versiones corregidas.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-3009 is a HIGH severity vulnerability in Keycloak versions 26.4 and later, allowing attackers to bypass disabled Identity Providers using previously generated login requests.
If you are running Keycloak version 26.4 or later, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade Keycloak to a version containing the security patch. Consult the Keycloak documentation for upgrade instructions.
There are currently no known active exploits, but the vulnerability's nature suggests it could be exploited relatively easily.
Refer to the Keycloak security advisories on the official Keycloak website for detailed information and updates: [https://www.keycloak.org/security](https://www.keycloak.org/security)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.