PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3009 Red Hat CVE debrief

CVE-2026-3009 is a security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak, a popular open-source identity and access management solution. The vulnerability allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. The vulnerability has a CVSS score of 8.1 and is considered HIGH severity. Red Hat has released advisories and patches to address this issue.

Vendor
Red Hat
Product
Red Hat build of Keycloak 26.4
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-05
Original CVE updated
2026-06-30
Advisory published
2026-03-05
Advisory updated
2026-06-30

Who should care

Organizations using Keycloak for identity and access management should prioritize patching this vulnerability. Specifically, administrators of Keycloak instances who have configured external Identity Providers should be aware of the potential for authentication bypass. Additionally, security teams responsible for monitoring and incident response should be prepared to detect and respond to potential exploitation attempts.

Technical summary

The IdentityBrokerService.performLogin endpoint in Keycloak fails to properly check if an Identity Provider (IdP) has been disabled before processing a login request. This allows an attacker with knowledge of the IdP alias to reuse a previously generated login request, effectively bypassing the administrative restriction. The vulnerability is exacerbated by the fact that Keycloak's access control enforcement relies on proper configuration and management of IdPs. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating a high level of exploitability and potential impact.

Defensive priority

Patching this vulnerability is of high priority due to its potential impact on access control and authentication. Administrators should apply patches or updates provided by Red Hat as soon as possible. In the meantime, defenders can consider monitoring for unusual authentication activity and restricting access to the IdentityBrokerService.performLogin endpoint.

Recommended defensive actions

  • Apply patches or updates provided by Red Hat to address the vulnerability
  • Monitor for unusual authentication activity and investigate any suspicious login attempts
  • Restrict access to the IdentityBrokerService.performLogin endpoint
  • Review and update IdP configurations to ensure proper access control enforcement
  • Consider implementing additional security measures, such as multi-factor authentication

Evidence notes

The CVE-2026-3009 vulnerability was publicly disclosed on March 5, 2026, and has since been modified on June 30, 2026. The vulnerability affects multiple products, including Red Hat Build of Keycloak and JBoss Enterprise Application Platform. Red Hat has released several advisories and patches to address this issue, including RHSA-2026:3947 and RHSA-2026:3948.

Official resources

This article was generated with AI assistance based on the supplied source corpus.