CVE-2026-9794

MEDIUM

Keycloak: keycloak: information disclosure via saml ecp endpoint

Title source: cna
STIX 2.1

Description

A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure.

References (4)

Core 4
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:25097
https://access.redhat.com/errata/RHSA-2026:25097
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:25098
https://access.redhat.com/errata/RHSA-2026:25098
Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat
RHBZ#2482461
https://bugzilla.redhat.com/show_bug.cgi?id=2482461
Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-9794

Scores

CVSS v3 5.3
EPSS 0.0031
EPSS Percentile 22.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-209
Status published
Products (5)
Red Hat/Red Hat Build of Keycloak
Red Hat/Red Hat build of Keycloak 26.6 26.6-6
Red Hat/Red Hat build of Keycloak 26.6 26.6.3-3
Red Hat/Red Hat build of Keycloak 26.6.3
redhat/build_of_keycloak
Published May 28, 2026
Tracked Since May 28, 2026