PatchSiren cyber security CVE debrief
CVE-2026-3009 Red Hat CVE debrief
CVE-2026-3009 is a security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak, a popular open-source identity and access management solution. The vulnerability allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. The vulnerability has a CVSS score of 8.1 and is considered HIGH severity. Red Hat has released advisories and patches to address this issue.
- Vendor
- Red Hat
- Product
- Red Hat build of Keycloak 26.4
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-05
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-05
- Advisory updated
- 2026-06-30
Who should care
Organizations using Keycloak for identity and access management should prioritize patching this vulnerability. Specifically, administrators of Keycloak instances who have configured external Identity Providers should be aware of the potential for authentication bypass. Additionally, security teams responsible for monitoring and incident response should be prepared to detect and respond to potential exploitation attempts.
Technical summary
The IdentityBrokerService.performLogin endpoint in Keycloak fails to properly check if an Identity Provider (IdP) has been disabled before processing a login request. This allows an attacker with knowledge of the IdP alias to reuse a previously generated login request, effectively bypassing the administrative restriction. The vulnerability is exacerbated by the fact that Keycloak's access control enforcement relies on proper configuration and management of IdPs. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating a high level of exploitability and potential impact.
Defensive priority
Patching this vulnerability is of high priority due to its potential impact on access control and authentication. Administrators should apply patches or updates provided by Red Hat as soon as possible. In the meantime, defenders can consider monitoring for unusual authentication activity and restricting access to the IdentityBrokerService.performLogin endpoint.
Recommended defensive actions
- Apply patches or updates provided by Red Hat to address the vulnerability
- Monitor for unusual authentication activity and investigate any suspicious login attempts
- Restrict access to the IdentityBrokerService.performLogin endpoint
- Review and update IdP configurations to ensure proper access control enforcement
- Consider implementing additional security measures, such as multi-factor authentication
Evidence notes
The CVE-2026-3009 vulnerability was publicly disclosed on March 5, 2026, and has since been modified on June 30, 2026. The vulnerability affects multiple products, including Red Hat Build of Keycloak and JBoss Enterprise Application Platform. Red Hat has released several advisories and patches to address this issue, including RHSA-2026:3947 and RHSA-2026:3948.
Official resources
-
CVE-2026-3009 CVE record
CVE.org
-
CVE-2026-3009 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.