{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-2603","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2026-02-16T21:18:50.125Z","datePublished":"2026-03-18T01:14:53.540Z","dateUpdated":"2026-03-18T14:10:10.355Z"},"containers":{"cna":{"title":"Keycloak: keycloak: unauthorized authentication via disabled saml identity provider","metrics":[{"other":{"content":{"value":"Important","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication."}],"affected":[{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.2","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-operator-bundle","defaultStatus":"affected","versions":[{"version":"26.2.14-1","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.2::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.2","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-rhel9","defaultStatus":"affected","versions":[{"version":"26.2-16","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.2::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.2","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-rhel9-operator","defaultStatus":"affected","versions":[{"version":"26.2-16","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.2::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.2.14","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","defaultStatus":"unaffected","packageName":"rhbk/keycloak-rhel9","cpes":["cpe:/a:redhat:build_keycloak:26.2::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-operator-bundle","defaultStatus":"affected","versions":[{"version":"26.4.10-1","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-rhel9","defaultStatus":"affected","versions":[{"version":"26.4-12","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-rhel9-operator","defaultStatus":"affected","versions":[{"version":"26.4-12","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4.10","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","defaultStatus":"unaffected","packageName":"rhbk/keycloak-rhel9","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:3925","name":"RHSA-2026:3925","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:3926","name":"RHSA-2026:3926","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:3947","name":"RHSA-2026:3947","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:3948","name":"RHSA-2026:3948","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/security/cve/CVE-2026-2603","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2440300","name":"RHBZ#2440300","tags":["issue-tracking","x_refsource_REDHAT"]}],"datePublic":"2026-03-05T11:23:00.000Z","problemTypes":[{"descriptions":[{"cweId":"CWE-306","description":"Missing Authentication for Critical Function","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-306: Missing Authentication for Critical Function","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"timeline":[{"lang":"en","time":"2026-02-16T21:15:53.373Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-03-05T11:23:00.000Z","value":"Made public."}],"credits":[{"lang":"en","value":"Red Hat would like to thank Joy Gilbert and Reynaldo Immanuel for reporting this issue."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2026-03-18T01:14:53.540Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"references":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2440300","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-18T14:10:05.707703Z","id":"CVE-2026-2603","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-18T14:10:10.355Z"}}]}}