CVE-2026-2575

MEDIUM

Keycloak: keycloak: denial of service due to excessive samlrequest decompression

Title source: cna
STIX 2.1

Description

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.

References (4)

Core 4
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:3947
https://access.redhat.com/errata/RHSA-2026:3947
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:3948
https://access.redhat.com/errata/RHSA-2026:3948
Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-2575
Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat
RHBZ#2440149
https://bugzilla.redhat.com/show_bug.cgi?id=2440149

Scores

CVSS v3 5.3
EPSS 0.0004
EPSS Percentile 13.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-409
Status published
Products (6)
org.keycloak/keycloak-saml-adapter-core 0 - 26.5.4Maven
org.keycloak/keycloak-saml-core 0 - 26.5.4Maven
org.keycloak/keycloak-services 0 - 26.5.4Maven
Red Hat/Red Hat build of Keycloak 26.4 26.4-12
Red Hat/Red Hat build of Keycloak 26.4 26.4.10-1
Red Hat/Red Hat build of Keycloak 26.4.10
Published Mar 18, 2026
Tracked Since Mar 18, 2026