CVE-2026-2092
Published: 18 March 2026
Summary
CVE-2026-2092 is a high-severity Improper Validation of Specified Type of Input (CWE-1287) vulnerability. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the failure to properly validate encrypted SAML assertions by requiring validation of all inputs to prevent injection of malicious assertions for arbitrary principals.
Mandates secure management and validation requirements for identity providers and authorization servers like Keycloak SAML brokers to ensure proper assertion handling and prevent impersonation exploits.
Requires timely identification, reporting, and correction of flaws such as the SAML broker validation vulnerability, as evidenced by Red Hat security advisories providing patches.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Keycloak SAML endpoint directly enables forging/manipulating SAML tokens (T1606.002) for user impersonation and exploitation of the exposed application (T1190).
NVD Description
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by…
more
crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.
Deeper analysisAI
CVE-2026-2092 is a vulnerability in Keycloak's Security Assertion Markup Language (SAML) broker endpoint, which fails to properly validate encrypted assertions when the overall SAML response is not signed. Published on 2026-03-18, this flaw carries a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L) and is classified under CWE-1287. It affects Keycloak deployments relying on SAML identity brokering for authentication.
An attacker with low privileges (PR:L) who possesses a valid signed SAML assertion can exploit this by crafting a malicious SAML response that injects an encrypted assertion for an arbitrary principal. Exploitation requires network access and high attack complexity but no user interaction. Successful attacks enable unauthorized access by impersonating other users and potential information disclosure.
Red Hat has addressed this vulnerability in multiple security advisories, including RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947, and RHSA-2026:3948, with additional details available at https://access.redhat.com/security/cve/CVE-2026-2092. Security practitioners should apply these updates to mitigate the issue in affected Keycloak instances.
Details
- CWE(s)