PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2092 Red Hat CVE debrief

CVE-2026-2092 is a high-severity vulnerability in Keycloak's Security Assertion Markup Language (SAML) broker endpoint. The flaw allows an attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure. This is possible because Keycloak does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can craft a malicious SAML response to exploit this vulnerability. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.7, indicating a high level of severity. The vulnerability was published on March 18, 2026, and last modified on June 30, 2026.

Vendor
Red Hat
Product
Red Hat build of Keycloak 26.2
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-06-30
Advisory published
2026-03-18
Advisory updated
2026-06-30

Who should care

Organizations using Keycloak for identity and access management should be aware of this vulnerability and take immediate action to mitigate the risk. This includes administrators of Keycloak instances, security teams responsible for monitoring and patching vulnerabilities, and developers integrating Keycloak with other systems. Given the high severity and potential for unauthorized access, prioritizing the patching of this vulnerability is crucial.

Technical summary

The vulnerability in Keycloak's SAML broker endpoint stems from inadequate validation of encrypted assertions in the absence of a signed SAML response. This allows an attacker to craft a malicious SAML response that includes an encrypted assertion for an arbitrary principal. Successful exploitation can lead to unauthorized access and potential information disclosure. The vulnerability is characterized by a CVSS score of 7.7, with an Attack Vector (AV) of Network (N), Attack Complexity (AC) of High (H), Privileges Required (PR) of Low (L), User Interaction (UI) of None (N), Scope (S) of Changed (C), Confidentiality (C) of High (H), Integrity (I) of Low (L), and Availability (A) of Low (L).

Defensive priority

Given the high severity of CVE-2026-2092, defenders should prioritize patching this vulnerability immediately. Keycloak instances should be updated to ensure proper validation of encrypted assertions in SAML responses.

Recommended defensive actions

  • Apply the official patch provided by the vendor to update Keycloak's SAML broker endpoint validation logic.
  • Implement additional monitoring to detect potential exploitation attempts targeting the SAML broker endpoint.
  • Review and update security configurations to ensure that SAML responses are properly signed and validated.
  • Consider compensating controls such as Web Application Firewalls (WAFs) to detect and prevent malicious SAML responses.
  • Conduct a thorough inventory check to identify all instances of Keycloak that may be affected by this vulnerability.

Evidence notes

The CVE-2026-2092 record was obtained from the National Vulnerability Database (NVD) and provides detailed information about the vulnerability, including its CVSS score, vector, and references. The vendor, Red Hat, has provided several errata and references related to this vulnerability, including RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947, and RHSA-2026:3948. These resources offer additional context and mitigation strategies for affected systems.

Official resources

This article is AI-assisted and based on the supplied source corpus.