Keycloak: Unauthorized access via improper validation of encrypted SAML assertions

GHSA-wmxr-6j5f-838p · CVE-2026-2092

Published Mar 18, 2026 · Modified Apr 8, 2026

Description

A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.

References

7.7 / 10

HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

Affected Packages

Maven/org.keycloak:keycloak-saml-adapter-core

Fix 26.2.14, 26.4.10, 26.5.5

Introduced 0, 26.3.0, 26.5.0

188 affected versions

1.6.0.Final1.6.1.Final1.7.0.CR11.7.0.Final1.8.0.Alpha11.8.0.CR11.8.0.CR21.8.0.CR31.8.0.Final1.8.1.Final1.9.0.CR11.9.0.Final1.9.1.Final1.9.2.Final1.9.3.Final1.9.4.Final1.9.5.Final1.9.7.Final1.9.8.Final10.0.0 +168 more

Maven/org.keycloak:keycloak-saml-core

Fix 26.2.14, 26.4.10, 26.5.5

Introduced 0, 26.3.0, 26.5.0

202 affected versions

1.1.0.Beta11.1.0.Beta21.1.0.Final1.1.1.Final1.2.0.Beta11.2.0.CR11.2.0.Final1.3.0.Final1.3.1.Final1.4.0.Final1.5.0-Final1.5.0.Final1.5.1.Final1.6.0.Final1.6.1.Final1.7.0.CR11.7.0.Final1.8.0.Alpha11.8.0.CR11.8.0.CR2 +182 more

Maven/org.keycloak:keycloak-services

Fix 26.2.14, 26.4.10, 26.5.5

Introduced 0, 26.3.0, 26.5.0

221 affected versions

1.0-alpha-11.0-alpha-1-120620131.0-alpha-21.0-alpha-31.0-alpha-41.0-beta-11.0-beta-1-201505211.0-beta-1-201505231.0-beta-21.0-beta-31.0-beta-41.0-final1.0-rc-11.0-rc-21.0.1.Final1.0.2.Final1.0.3.Final1.0.4.Final1.0.5.Final1.1.0.Beta1 +201 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes