PatchSiren cyber security CVE debrief
CVE-2026-7307 Red Hat CVE debrief
CVE-2026-7307 describes a network-reachable denial-of-service condition in Keycloak’s SAML handling. A remote, unauthenticated attacker can send specially crafted XML to the SAML endpoint and trigger high CPU usage plus worker thread starvation, making the service unavailable. The supplied record also shows low-confidence vendor attribution, with Red Hat references present in the source metadata.
- Vendor
- Red Hat
- Product
- Red Hat build of Keycloak 26.2
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Administrators and operators of Keycloak deployments, especially environments that expose SAML endpoints to untrusted networks. Security teams should also prioritize this if Keycloak is part of identity, single sign-on, or access-control infrastructure because an outage can block authentication flows.
Technical summary
The NVD metadata classifies the issue as CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and associates it with CWE-1286. The user-supplied description indicates that malformed or specially crafted XML sent to the SAML endpoint can consume CPU and starve worker threads, producing an availability-only denial of service. No confidentiality or integrity impact is indicated in the supplied record.
Defensive priority
High for any internet-facing or broadly reachable Keycloak deployment using SAML, because the attack requires no authentication and can render the service unavailable. Prioritize validation of exposure, vendor remediation tracking, and operational monitoring for CPU and thread exhaustion.
Recommended defensive actions
- Review the Red Hat CVE advisory and the CVE/NVD records for vendor guidance and any affected-version details.
- If Keycloak is used for SAML, reduce exposure of the SAML endpoint to untrusted networks where possible.
- Apply vendor-recommended patches or mitigations as soon as they are available for your deployment.
- Monitor Keycloak CPU utilization, worker thread saturation, and request error rates for signs of abnormal SAML traffic.
- Add rate limiting, upstream filtering, or WAF controls where they can safely reduce abusive request volume without breaking legitimate SAML traffic.
- Inventory all applications that depend on the affected Keycloak instance so an availability incident can be handled quickly.
Evidence notes
CVE publication and modification timestamps supplied here are both 2026-05-19T12:16:19.423Z. The NVD metadata marks the vulnerability status as Received and includes CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The source metadata also records Red Hat-supplied references and CWE-1286. The supplied corpus does not include affected-version ranges or a fixed-version statement.
Official resources
Publicly disclosed in the CVE/NVD record on 2026-05-19, with Red Hat references present in the source metadata on the same date. The supplied record does not provide an earlier issue date or timeline.