Cyber Resilience

CVE-2026-2603

HighUpdated

Published: 18 March 2026

Published
18 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0040 32.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2603 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Redhat (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique SAML Tokens (T1606.002); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-13 (Identity Providers and Authorization Servers).

Deeper analysis

CVE-2026-2603 is a security flaw in Keycloak that allows a remote attacker to bypass authentication controls. By sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint designated for IdP-initiated broker logins, the attacker can complete broker logins even when the SAML IdP is disabled. This leads to unauthorized authentication, mapped to CWE-306 (Missing Authentication for Critical Function), with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network with low attack complexity and no user interaction required. The attacker crafts and submits a legitimate-looking SAML response to the broker login endpoint, tricking Keycloak into accepting it despite the IdP being disabled. Successful exploitation results in high impacts to confidentiality and integrity, enabling unauthorized access to the system via broker login mechanisms.

Red Hat has released multiple errata addressing this issue, including RHSA-2026:3925, RHSA-2026:3926, RHSA-2026:3947, and RHSA-2026:3948, with additional details available on the CVE security page at https://access.redhat.com/security/cve/CVE-2026-2603. Security practitioners should review and apply these updates promptly to mitigate the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete…

more

broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1606.002 SAML Tokens Credential Access
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability allows crafting and submitting a valid SAML response to bypass authentication (T1606.002), exploits Keycloak remote services for privilege escalation from low privileges (T1068, T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-21198Shared CWE-306
CVE-2025-65824Shared CWE-306
CVE-2026-26288Shared CWE-306
CVE-2025-48572Shared CWE-306
CVE-2026-26160Shared CWE-306
CVE-2026-24068Shared CWE-306
CVE-2025-13779Shared CWE-306
CVE-2026-27182Shared CWE-306
CVE-2026-6348Shared CWE-306
CVE-2026-24062Shared CWE-306

Affected Assets

Redhat
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Requires timely remediation of flaws like CVE-2026-2603 in Keycloak through vendor patches such as RHSA-2026:3925 to prevent unauthorized broker logins.

prevent

Ensures external identity providers are properly registered and managed, preventing Keycloak from processing SAML responses from disabled IdPs during broker logins.

prevent

Enforces access control policies at the SAML broker login endpoint to block unauthorized authentication attempts via crafted SAML responses.

References