Cyber Posture

CVE-2026-3047

High

Published: 05 March 2026

Published
05 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0038 59.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This…

more

allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely application of vendor patches, such as RHSA-2026:3925, directly remediates the flaw in Keycloak's SAML broker allowing disabled clients to establish unauthorized SSO sessions.

AC-3 Access Enforcement good match
prevent

Enforces access control policies to restrict login and SSO session establishment to only enabled clients, preventing the bypass of security restrictions on disabled SAML clients.

AC-2 Account Management partial match
prevent

Manages client accounts by disabling unused or restricted SAML clients and reviewing configurations to avoid their use as IdP-initiated broker landing targets.

Security SummaryAI

CVE-2026-3047 is a high-severity vulnerability (CVSS 8.8) in the org.keycloak.broker.saml component of Keycloak, an open-source identity and access management solution. The flaw occurs when a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target. In this scenario, the disabled client can still complete the login process and establish a Single Sign-On (SSO) session, bypassing intended security restrictions (CWE-305: Improper Restriction of Communication Channel to Intended Endpoints).

A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By targeting the misconfigured disabled SAML client, the attacker can establish an unauthorized SSO session, gaining access to other enabled clients without re-authentication. This results in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), allowing privilege escalation and unauthorized access within the Keycloak environment.

Red Hat has released multiple errata addressing this issue in their Keycloak distributions, including RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947, and RHSA-2026:3948. Security practitioners should consult the detailed advisory at https://access.redhat.com/security/cve/CVE-2026-3047 and apply the corresponding patches to mitigate the vulnerability.

Details

CWE(s)
CWE-305

Affected Products

redhat
build of keycloak
26.2, 26.2.14, 26.4, 26.4.10, all versions
redhat
keycloak
all versions

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The vulnerability allows remote exploitation of a Keycloak SAML broker service (T1210) to bypass authentication restrictions and achieve privilege escalation via unauthorized SSO session establishment (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References