Keycloak SAML Broker Unvalidated Encrypted Assertion Attack
CVE-2026-2092 Published on March 18, 2026

Keycloak-services: keycloak: unauthorized access via improper validation of encrypted saml assertions
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-2092 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
LOW
Availability Impact:
LOW

Timeline

Reported to Red Hat.

Made public. 27 days later.

Weakness Type

Improper Validation of Specified Type of Input

The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.


Products Associated with CVE-2026-2092

Want to know whenever a new CVE is published for Red Hat Build Keycloak? stack.watch will email you.

Red Hat Build Keycloak
 

Affected Versions

Red Hat build of Keycloak 26.2: Red Hat build of Keycloak 26.2: Red Hat build of Keycloak 26.2: Red Hat build of Keycloak 26.2.14: Red Hat build of Keycloak 26.4: Red Hat build of Keycloak 26.4: Red Hat build of Keycloak 26.4: Red Hat build of Keycloak 26.4.10: