A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.
Weakness
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat build of Keycloak 26.2 | RedHat | rhbk/keycloak-operator-bundle:26.2.14-1 | * |
| Red Hat build of Keycloak 26.2 | RedHat | rhbk/keycloak-rhel9:26.2-16 | * |
| Red Hat build of Keycloak 26.2 | RedHat | rhbk/keycloak-rhel9-operator:26.2-16 | * |
| Red Hat build of Keycloak 26.2.14 | RedHat | rhbk/keycloak-rhel9 | * |
| Red Hat build of Keycloak 26.4 | RedHat | rhbk/keycloak-operator-bundle:26.4.10-1 | * |
| Red Hat build of Keycloak 26.4 | RedHat | rhbk/keycloak-rhel9:26.4-12 | * |
| Red Hat build of Keycloak 26.4 | RedHat | rhbk/keycloak-rhel9-operator:26.4-12 | * |
| Red Hat build of Keycloak 26.4.10 | RedHat | rhbk/keycloak-rhel9 | * |