CVE-2026-3009
HIGHKeycloak < 26.5.5 - Incorrect Authorization via Disabled Identity Provider Bypass
Title source: llmDescription
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
References (4)
Core 4
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2026:3947
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2026:3948
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-3009
Vendor Advisory issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2441867
Scores
CVSS v3
8.1
EPSS
0.0033
EPSS Percentile
24.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (13)
org.keycloak/keycloak-services
0 - 26.5.5Maven
Red Hat/Red Hat build of Keycloak 26.4
26.4-12
Red Hat/Red Hat build of Keycloak 26.4
26.4.10-1
Red Hat/Red Hat build of Keycloak 26.4.10
Red Hat/Red Hat JBoss Enterprise Application Platform 8
Red Hat/Red Hat JBoss Enterprise Application Platform Expansion Pack
Red Hat/Red Hat Single Sign-On 7
redhat/build_of_keycloak
redhat/build_of_keycloak
26.4
redhat/build_of_keycloak
26.4.10
... and 3 more
Published
Mar 05, 2026
Tracked Since
Mar 06, 2026