Cyber Posture

CVE-2026-2603

High

Published: 18 March 2026

Published
18 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0019 40.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete…

more

broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
preventrecover

Requires timely remediation of flaws like CVE-2026-2603 in Keycloak through vendor patches such as RHSA-2026:3925 to prevent unauthorized broker logins.

IA-13 Identity Providers and Authorization Servers good match
prevent

Ensures external identity providers are properly registered and managed, preventing Keycloak from processing SAML responses from disabled IdPs during broker logins.

AC-3 Access Enforcement good match
prevent

Enforces access control policies at the SAML broker login endpoint to block unauthorized authentication attempts via crafted SAML responses.

Security SummaryAI

CVE-2026-2603 is a security flaw in Keycloak that allows a remote attacker to bypass authentication controls. By sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint designated for IdP-initiated broker logins, the attacker can complete broker logins even when the SAML IdP is disabled. This leads to unauthorized authentication, mapped to CWE-306 (Missing Authentication for Critical Function), with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network with low attack complexity and no user interaction required. The attacker crafts and submits a legitimate-looking SAML response to the broker login endpoint, tricking Keycloak into accepting it despite the IdP being disabled. Successful exploitation results in high impacts to confidentiality and integrity, enabling unauthorized access to the system via broker login mechanisms.

Red Hat has released multiple errata addressing this issue, including RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947, and RHSA-2026:3948, with additional details available on the CVE security page at https://access.redhat.com/security/cve/CVE-2026-2603. Security practitioners should review and apply these updates promptly to mitigate the vulnerability.

Details

CWE(s)
CWE-306

MITRE ATT&CK Enterprise TechniquesAI

T1606.002 SAML Tokens Credential Access
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The vulnerability allows crafting and submitting a valid SAML response to bypass authentication (T1606.002), exploits Keycloak remote services for privilege escalation from low privileges (T1068, T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References