PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3047 Red Hat CVE debrief

CVE-2026-3047 is a high-severity security flaw in Redhat Build Of Keycloak. A disabled SAML client can still complete the login process and establish a Single Sign-On (SSO) session, allowing a remote attacker to gain unauthorized access to other enabled clients without re-authentication. This flaw has a CVSS score of 8.8 and is considered a high-risk vulnerability. The CVE was published on March 5, 2026, and last modified on June 30, 2026. Redhat has released several advisories and patches to address this vulnerability.

Vendor
Red Hat
Product
Red Hat build of Keycloak 26.2
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-05
Original CVE updated
2026-06-30
Advisory published
2026-03-05
Advisory updated
2026-06-30

Who should care

Security teams and administrators responsible for Redhat Build Of Keycloak deployments should be aware of this vulnerability and take immediate action to mitigate the risk. This flaw can be exploited by remote attackers to gain unauthorized access to sensitive systems and data. Organizations using affected versions of Redhat Build Of Keycloak should prioritize patching and updating their systems to prevent potential attacks.

Technical summary

The vulnerability is caused by a flaw in the org.keycloak.broker.saml module, which allows a disabled SAML client to still complete the login process and establish an SSO session. This is possible because the SAML client is configured as an Identity Provider (IdP)-initiated broker landing target. An attacker can exploit this flaw to bypass security restrictions and gain unauthorized access to other enabled clients without re-authentication. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

High priority should be given to patching and updating affected Redhat Build Of Keycloak deployments. Security teams should work closely with system administrators to ensure that all necessary patches are applied and that systems are properly configured to prevent exploitation.

Recommended defensive actions

  • Apply patches and updates released by Redhat to address CVE-2026-3047
  • Review and update SAML client configurations to prevent exploitation
  • Monitor system logs and security events for potential attacks
  • Implement additional security controls, such as multi-factor authentication, to reduce the risk of exploitation
  • Conduct regular security assessments and penetration testing to identify potential vulnerabilities

Evidence notes

The CVE-2026-3047 record was published on March 5, 2026, and last modified on June 30, 2026. The vulnerability has a CVSS score of 8.8 and is considered a high-risk vulnerability. Redhat has released several advisories and patches to address this vulnerability, including RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947, and RHSA-2026:3948.

Official resources

This article was generated with AI assistance based on the supplied source corpus.