CVE-2026-2603 — Keycloak: Unauthorized authentication via disabled SAML Identity Provider

Description

A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.

How to fix CVE-2026-2603

To remediate CVE-2026-2603, upgrade the affected package to a fixed version below.

—upgrade to 26.5.5 or later
—upgrade to 26.5.5 or later

Is CVE-2026-2603 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 26.5.5
from 0, < 26.5.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-2603
PATCHgithub.com/keycloak/keycloak
WEBaccess.redhat.com/errata/RHSA-2026:3925
WEBaccess.redhat.com/errata/RHSA-2026:3926
WEBaccess.redhat.com