CVE-2026-3009

HIGH

Keycloak - Auth Bypass

Title source: llm

Description

A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.

References (4)

Scores

CVSS v3 8.1
EPSS 0.0006
EPSS Percentile 17.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Classification

CWE
CWE-285
Status draft

Affected Products (1)

org.keycloak/keycloak-services < 26.5.5Maven

Timeline

Published Mar 05, 2026
Tracked Since Mar 06, 2026