CVE-2026-9794 Red Hat CVE debrief

Who should care

Organizations running Keycloak identity and access management platforms with SAML ECP endpoints enabled; security teams responsible for identity infrastructure hardening; compliance officers concerned with information disclosure in authentication systems

Technical summary

The vulnerability exists in Keycloak's implementation of the SAML ECP profile, which uses SOAP for client authentication. When an attacker submits a SAML ECP request with a non-existent or manipulated client ID, the server's error response includes a faultstring that varies depending on the actual protocol type configured for that client ID in the Keycloak realm. This side-channel allows protocol enumeration without authentication. The flaw stems from error messages revealing internal state (CWE-209) rather than returning generic, non-descriptive errors. Attack complexity is low as the endpoint is typically exposed for ECP functionality and no authentication is required to submit SOAP requests.

Defensive priority

medium

Recommended defensive actions

• Review Keycloak SAML ECP endpoint configurations and assess exposure to untrusted networks
• Monitor authentication logs for anomalous SOAP request patterns to SAML ECP endpoints
• Apply vendor patches when available from Red Hat or Keycloak project
• Consider implementing rate limiting and request validation on SAML ECP endpoints to reduce enumeration risk
• Review client ID exposure and evaluate whether internal client identifiers can be randomized or obscured

Evidence notes

Vulnerability description sourced from NVD record with Red Hat as primary reference source. CVSS vector confirms network-accessible, unauthenticated information disclosure. CWE-209 (Generation of Error Message Containing Sensitive Information) assigned by Red Hat. No CPE criteria available in source data; vendor attribution to Red Hat/Keycloak based on reference domain and bugzilla entry.

Official resources