CVE-2026-2092
HIGH7.7EPSS 0.10%Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
Published: 3/18/2026Modified: 4/8/2026
Description
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.
Affected packages (3)
- Maven/org.keycloak:keycloak-saml-adapter-corefrom 0, < 26.2.14
- Maven/org.keycloak:keycloak-saml-core>= 26.3.0, < 26.4.10
- Maven/org.keycloak:keycloak-services>= 26.5.0, < 26.5.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.7 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-2092
- PATCHhttps://github.com/keycloak/keycloak
- WEBhttps://access.redhat.com/errata/RHSA-2026:3925
- WEBhttps://access.redhat.com/errata/RHSA-2026:3926
- WEBhttps://access.redhat.com/errata/RHSA-2026:3947
- WEBhttps://access.redhat.com/errata/RHSA-2026:3948
- WEBhttps://access.redhat.com/security/cve/CVE-2026-2092
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2437296
- WEBhttps://github.com/keycloak/keycloak/commit/b40a25908d937bb0563ea516487bc2c7c1d92508