CVE-2026-2603
Published: 18 March 2026
Summary
CVE-2026-2603 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique SAML Tokens (T1606.002); ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-13 (Identity Providers and Authorization Servers).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of flaws like CVE-2026-2603 in Keycloak through vendor patches such as RHSA-2026:3925 to prevent unauthorized broker logins.
Ensures external identity providers are properly registered and managed, preventing Keycloak from processing SAML responses from disabled IdPs during broker logins.
Enforces access control policies at the SAML broker login endpoint to block unauthorized authentication attempts via crafted SAML responses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows crafting and submitting a valid SAML response to bypass authentication (T1606.002), exploits Keycloak remote services for privilege escalation from low privileges (T1068, T1210).
NVD Description
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete…
more
broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.
Deeper analysisAI
CVE-2026-2603 is a security flaw in Keycloak that allows a remote attacker to bypass authentication controls. By sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint designated for IdP-initiated broker logins, the attacker can complete broker logins even when the SAML IdP is disabled. This leads to unauthorized authentication, mapped to CWE-306 (Missing Authentication for Critical Function), with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network with low attack complexity and no user interaction required. The attacker crafts and submits a legitimate-looking SAML response to the broker login endpoint, tricking Keycloak into accepting it despite the IdP being disabled. Successful exploitation results in high impacts to confidentiality and integrity, enabling unauthorized access to the system via broker login mechanisms.
Red Hat has released multiple errata addressing this issue, including RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947, and RHSA-2026:3948, with additional details available on the CVE security page at https://access.redhat.com/security/cve/CVE-2026-2603. Security practitioners should review and apply these updates promptly to mitigate the vulnerability.
Details
- CWE(s)