CVE-2026-3047
📋 TL;DR
This vulnerability allows attackers to bypass authentication in Keycloak by exploiting a disabled SAML client configured as an Identity Provider-initiated broker landing target. Attackers can gain unauthorized access to other enabled clients without re-authentication, establishing Single Sign-On sessions they shouldn't have. Organizations using Keycloak with SAML identity provider configurations are affected.
💻 Affected Systems
- Keycloak
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all applications integrated with the vulnerable Keycloak instance, allowing attackers to access sensitive data and systems as any user without authentication.
Likely Case
Unauthorized access to multiple applications behind the Keycloak SSO, potentially leading to data breaches and privilege escalation.
If Mitigated
Limited impact if proper network segmentation and access controls prevent lateral movement from compromised applications.
🎯 Exploit Status
Exploitation requires knowledge of the disabled SAML client endpoint but doesn't require authentication. Attackers need to understand SAML IdP-initiated flows.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories for specific patched versions
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2026-3047
Restart Required: Yes
Instructions:
1. Review Red Hat advisories RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947, RHSA-2026:3948. 2. Update to the patched version of Keycloak. 3. Restart Keycloak service. 4. Verify the fix by testing SAML IdP-initiated flows.
🔧 Temporary Workarounds
Remove disabled SAML client as IdP landing target
allRemove any disabled SAML clients from being configured as Identity Provider-initiated broker landing targets
Navigate to Keycloak admin console > Clients > Select disabled SAML client > Settings > Remove from IdP-initiated SSO URL configurations
Network isolation
linuxRestrict access to Keycloak SAML endpoints from untrusted networks
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port protocol="tcp" port="8080,8443" accept'
firewall-cmd --reload
🧯 If You Can't Patch
- Ensure no disabled SAML clients are configured as IdP-initiated broker landing targets
- Implement network segmentation to isolate Keycloak from internet exposure and restrict access to SAML endpoints
🔍 How to Verify
Check if Vulnerable:
Check Keycloak admin console for any disabled SAML clients configured in IdP-initiated SSO URLs. Review SAML client configurations for disabled status and landing target settings.Check Version:
For Red Hat Keycloak: rpm -q keycloak; For standalone: check keycloak-server.log or admin console version infoVerify Fix Applied:
After patching, attempt to reproduce the vulnerability by accessing a disabled SAML client's IdP-initiated endpoint - it should properly reject the request.📡 Detection & Monitoring
Log Indicators:
- Successful authentication events from disabled SAML clients
- SAML responses processed for disabled client IDs
- Unusual SSO session creations from unexpected sources
Network Indicators:
- HTTP requests to SAML endpoints with disabled client identifiers
- SAML assertions being sent to disabled client endpoints
SIEM Query:
source="keycloak" AND (client_status="disabled" AND auth_outcome="success") OR (saml_client_id="DISABLED_CLIENT_ID" AND event_type="saml_response")