Skip to content

CVE-2026-3047 SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login #46909

Closed
cve
#46934
Closed
CVE-2026-3047 SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login#46909
cve
#46934
Assignees
pedroigor
Labels
kind/cveIssues identified as CVEs on third-party dependencies, or issues which Keycloak is not affectedrelease/26.2.14release/26.4.10release/26.5.5release/26.6.0
@stianst

Description

@stianst
stianst
opened on Mar 5, 2026

Description

Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login

A SAML client marked Disabled in the broker realm still completes IdP-initiated broker login and creates a realm SSO session. Even though the target SAML client is disabled, the user gains a valid Keycloak session and can access other enabled clients without re-authentication.
Requirements to exploit

The Keycloak instance must have a disabled SAML client configured as an IdP-initiated broker landing target. The user must also exist in the external IdP.

Metadata

Metadata

Assignees

Labels

kind/cveIssues identified as CVEs on third-party dependencies, or issues which Keycloak is not affectedrelease/26.2.14release/26.4.10release/26.5.5release/26.6.0

Type

cve

Fields

No fields configured for cve.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions