平台
java
组件
keycloak
修复版本
*
CVE-2026-3009 describes an authentication bypass vulnerability in Keycloak's IdentityBrokerService.performLogin endpoint. This flaw allows attackers to authenticate through disabled Identity Providers (IdPs) by reusing previously generated login requests, effectively circumventing administrative access controls. The vulnerability affects Keycloak versions 26.4 and later. A fix is available, requiring an upgrade to a patched version.
The primary impact of CVE-2026-3009 is unauthorized access to Keycloak-protected resources. An attacker who knows the alias of a previously configured Identity Provider (even if disabled) can leverage a cached or replayed login request to authenticate as if the IdP were still active. This bypasses the intended security controls and allows the attacker to gain access to applications and services relying on Keycloak for authentication. The blast radius extends to any application or service integrated with Keycloak and relying on the IdP for authentication, potentially exposing sensitive data and enabling further lateral movement within the environment. This vulnerability shares similarities with other authentication bypass flaws where cached credentials or replay attacks can circumvent access controls.
CVE-2026-3009 was publicly disclosed on 2026-03-05. Its EPSS score is currently pending evaluation. There are no known public proof-of-concept exploits available at this time, but the vulnerability's nature suggests a relatively low barrier to exploitation once a suitable attack vector is identified. The vulnerability is listed on the NVD and CISA advisories.
Organizations heavily reliant on Keycloak for single sign-on (SSO) and federated identity management are at significant risk. Environments with numerous Identity Providers, particularly those that are frequently enabled and disabled, are especially vulnerable. Shared hosting environments utilizing Keycloak should also be prioritized for patching.
• java / server:
# Check Keycloak version
java -jar keycloak.jar --version• java / server:
# Monitor Keycloak logs for suspicious login attempts involving disabled IdPs
grep -i 'disabled identity provider' /path/to/keycloak/logs/keycloak.log• generic web:
# Check for exposed IdentityBrokerService endpoint
curl -I https://keycloak.example.com/auth/realms/master/broker/identityprovider/idp-alias/endpointdisclosure
漏洞利用状态
EPSS
0.03% (8% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-3009 is to upgrade Keycloak to a version containing the fix. Until the upgrade can be performed, consider temporarily disabling the IdentityBrokerService or restricting access to the performLogin endpoint. Implementing stricter rate limiting on the performLogin endpoint can also help mitigate the risk of replay attacks. Review Keycloak's audit logs for suspicious login attempts, particularly those involving disabled IdPs. After upgrading, confirm the fix by attempting to authenticate through a disabled IdP using a previously generated login request – it should fail.
Actualice a una versión de Keycloak que haya solucionado esta vulnerabilidad. Consulte los avisos de seguridad de Red Hat (RHSA-2026:3947, RHSA-2026:3948) para obtener más detalles y las versiones corregidas.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-3009 is a HIGH severity vulnerability in Keycloak versions 26.4 and later, allowing attackers to bypass disabled Identity Providers using previously generated login requests.
If you are running Keycloak version 26.4 or later, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade Keycloak to a version containing the security patch. Consult the Keycloak documentation for upgrade instructions.
There are currently no known active exploits, but the vulnerability's nature suggests it could be exploited relatively easily.
Refer to the Keycloak security advisories on the official Keycloak website for detailed information and updates: [https://www.keycloak.org/security](https://www.keycloak.org/security)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 pom.xml 文件,立即知道是否受影响。