RHSA-2026:3925
Vulnerability from csaf_redhat - Published: 2026-03-05 15:35 - Updated: 2026-03-06 03:17Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.2.14 Images Update
Notes
Topic
New images are available for Red Hat build of Keycloak 26.2.14 and Red Hat build of Keycloak 26.2.14 Operator, running on OpenShift Container Platform
Details
Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.
Red Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.2.14 clusters.
This erratum releases new images for Red Hat build of Keycloak 26.2.14 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.
Security fixes:
* Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login (CVE-2026-3047)
* Unauthorized authentication via disabled SAML Identity Provider (CVE-2026-2603)
* Unauthorized access via improper validation of encrypted SAML assertions (CVE-2026-2092)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New images are available for Red Hat build of Keycloak 26.2.14 and Red Hat build of Keycloak 26.2.14 Operator, running on OpenShift Container Platform",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\nRed Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.2.14 clusters.\nThis erratum releases new images for Red Hat build of Keycloak 26.2.14 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity fixes:\n* Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login (CVE-2026-3047)\n* Unauthorized authentication via disabled SAML Identity Provider (CVE-2026-2603)\n* Unauthorized access via improper validation of encrypted SAML assertions (CVE-2026-2092)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:3925",
"url": "https://access.redhat.com/errata/RHSA-2026:3925"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3925.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.2.14 Images Update",
"tracking": {
"current_release_date": "2026-03-06T03:17:07+00:00",
"generator": {
"date": "2026-03-06T03:17:07+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.2"
}
},
"id": "RHSA-2026:3925",
"initial_release_date": "2026-03-05T15:35:42+00:00",
"revision_history": [
{
"date": "2026-03-05T15:35:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-03-05T15:35:42+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-06T03:17:07+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.2",
"product": {
"name": "Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le",
"product_id": "rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.2-16"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.2-16"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64",
"product_id": "rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.2-16"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.2-16"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x",
"product_id": "rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.2-16"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.2-16"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64",
"product_id": "rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.2-16"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64",
"product": {
"name": "rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64",
"product_id": "rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-operator-bundle\u0026tag=26.2.14-1"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.2-16"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64"
},
"product_reference": "rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64",
"relates_to_product_reference": "9Base-RHBK-26.2"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Oleh Konko"
]
}
],
"cve": "CVE-2026-2092",
"cwe": {
"id": "CWE-1287",
"name": "Improper Validation of Specified Type of Input"
},
"discovery_date": "2026-02-06T10:25:16.675000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437296"
}
],
"notes": [
{
"category": "description",
"text": "No description is available for this CVE.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak-services: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2092"
},
{
"category": "external",
"summary": "RHBZ#2437296",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437296"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2092",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2092"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2092",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2092"
}
],
"release_date": "2026-03-05T12:34:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T15:35:42+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3925"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak-services: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions"
},
{
"cve": "CVE-2026-2603",
"discovery_date": "2026-02-16T21:15:53.373000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440300"
}
],
"notes": [
{
"category": "description",
"text": "No description is available for this CVE.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Unauthorized authentication via disabled SAML Identity Provider",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2603"
},
{
"category": "external",
"summary": "RHBZ#2440300",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440300"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2603",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2603"
}
],
"release_date": "2026-03-05T11:23:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T15:35:42+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3925"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Unauthorized authentication via disabled SAML Identity Provider"
},
{
"cve": "CVE-2026-3047",
"cwe": {
"id": "CWE-305",
"name": "Authentication Bypass by Primary Weakness"
},
"discovery_date": "2026-02-23T17:29:50.192000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2441966"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.broker.saml: Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "CRITICAL: This flaw allows a disabled SAML client in Keycloak, when configured as an IdP-initiated broker landing target, to still facilitate a successful login. This bypasses the intended security control, granting an authenticated user access to other enabled clients without re-authentication. This issue affects Keycloak instances where a disabled SAML client is configured for IdP-initiated brokering and the user exists in the external Identity Provider.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3047"
},
{
"category": "external",
"summary": "RHBZ#2441966",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441966"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3047",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3047"
}
],
"release_date": "2026-03-05T11:24:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-05T15:35:42+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3925"
},
{
"category": "workaround",
"details": "To mitigate this issue, ensure that any SAML client intended to be disabled is not configured as an IdP-initiated broker landing target within Keycloak. Review your Keycloak realm configurations to identify and remove any such associations for disabled clients.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:ca0959572305bc27cc969355f06e14b0bb5c7dedea9619e884f7bd3bec9bb2bc_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:252532cad9e091df87b895d82a59dfb6bc7bc97a777fe313ca43f0cacee7bd10_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:6dead5fff17a33fc1e37a28f98051f631a74b616d0a2d66fe84169d0eeaed0b4_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:c1664981fec90044019cc72cd634f7d1568e9ca906bce2c6365dfa548ac88122_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:cb02cd23c13e0ae1e6404784b22608444b0752749432970ad1e8c4f2cd74ea53_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:08b5b94d827dbdaba29126c9389476341d1ca9ebeca6a764491862a38d19bb0e_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:172d9f060709fdf5df5b6a8db9dc8001ff4d41025900e225d43ded8d189522d6_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:708b0282101911143c468a7c78a3c815e8a8fcee01d001d1e9504d7fa14c9337_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:97f579e9720a458a3d4a277dd19cc0e669b70bf863fdda5298f420d6442dd199_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak.broker.saml: Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…