CVE-2026-3009

HIGH

Keycloak - Auth Bypass

Title source: llm

Description

A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.

References (4)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:3947

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:3948

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2026-3009

[Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=2441867

Scores

CVSS v3 8.1

EPSS 0.0003

EPSS Percentile 9.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-863

Status published

Products (13)

org.keycloak/keycloak-services 0 - 26.5.5Maven

Red Hat/Red Hat build of Keycloak 26.4 26.4-12

Red Hat/Red Hat build of Keycloak 26.4 26.4.10-1

Red Hat/Red Hat build of Keycloak 26.4.10

Red Hat/Red Hat JBoss Enterprise Application Platform 8

Red Hat/Red Hat JBoss Enterprise Application Platform Expansion Pack

Red Hat/Red Hat Single Sign-On 7

redhat/build_of_keycloak

redhat/build_of_keycloak 26.4

redhat/build_of_keycloak 26.4.10

... and 3 more

Published Mar 05, 2026

Tracked Since Mar 06, 2026