Org.keycloak/keycloak-services: improper enforcement of disabled identity provider in identitybrokerservice (authentication bypass)
Summary
| CVE | CVE-2026-3009 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-05 19:16:18 UTC |
| Updated | 2026-06-30 03:19:09 UTC |
| Description | A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. |
Risk And Classification
Primary CVSS: v3.1 8.1 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS: 0.003330000 probability, percentile 0.251760000 (date 2026-07-02)
Problem Types: CWE-863 | CWE-863 Incorrect Authorization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| 3.1 | ADP | CVSS | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | [email protected] | Secondary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | CNA | CVSS | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Redhat | Build Of Keycloak | - | All | All | All |
| Application | Redhat | Build Of Keycloak | 26.4 | All | All | All |
| Application | Redhat | Build Of Keycloak | 26.4.10 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 8.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform Expansion Pack | - | All | All | All |
| Application | Redhat | Single Sign-on | 7.0 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/security/cve/CVE-2026-3009 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | Issue Tracking, Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:3947 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-3009.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3948 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-02-23T04:55:39.695Z | Reported to Red Hat. |
| CNA | 2026-03-05T11:23:00.000Z | Made public. |
| ADP | 2026-02-23T04:55:39.695Z | Reported to Red Hat. |
| ADP | 2026-03-05T11:23:00.000Z | Made public. |
Solutions
ADP: RHSA-2026:3948: Red Hat build of Keycloak 26.4
ADP: RHSA-2026:3947: Red Hat build of Keycloak 26.4.10
Workarounds
CNA: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
ADP: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.