CVE-2026-2575 — Keycloak: Denial of Service due to excessive SAMLRequest decompression

Description

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.

How to fix CVE-2026-2575

To remediate CVE-2026-2575, upgrade the affected package to a fixed version below.

—upgrade to 26.5.4 or later
—upgrade to 26.5.4 or later
—upgrade to 26.5.4 or later

Is CVE-2026-2575 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 26.5.4
from 0, < 26.5.4
from 0, < 26.5.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-2575
PATCHgithub.com/keycloak/keycloak
WEBaccess.redhat.com/errata/RHSA-2026:3947
WEBaccess.redhat.com/errata/RHSA-2026:3948
WEBaccess.redhat.com