Keycloak: keycloak: denial of service via specially crafted saml input
Summary
| CVE | CVE-2026-7307 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-19 12:16:19 UTC |
| Updated | 2026-06-03 19:52:44 UTC |
| Description | A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.000530000 probability, percentile 0.169740000 (date 2026-06-03)
Problem Types: CWE-1286 | CWE-1286 Improper Validation of Syntactic Correctness of Input
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Redhat | Build Of Keycloak | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Red Hat Build Of Keycloak 26.2 | unaffected 26.2.16-1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.2 | unaffected 26.2-21 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.2 | unaffected 26.2-21 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.2.16 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.4 | unaffected 26.4.12-1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.4 | unaffected 26.4-17 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.4 | unaffected 26.4-17 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.4.12 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:19594 | [email protected] | access.redhat.com | Vendor Advisory |
| access.redhat.com/security/cve/CVE-2026-7307 | [email protected] | access.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:19595 | [email protected] | access.redhat.com | Vendor Advisory |
| bugzilla.redhat.com/show_bug.cgi | [email protected] | bugzilla.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:19596 | [email protected] | access.redhat.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:19597 | [email protected] | access.redhat.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Red Hat would like to thank Anchels for reporting this issue. (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-05-12T16:20:11.587Z | Reported to Red Hat. |
| CNA | 2026-05-19T10:42:34.560Z | Made public. |
Workarounds
CNA: To mitigate this vulnerability, restrict network access to the Keycloak SAML endpoint to trusted networks and clients. Implement firewall rules to limit inbound connections to the Keycloak service port (e.g., 8080) from untrusted sources. If the SAML protocol is not required for your deployment, consider disabling it to eliminate the attack surface. Applying these network restrictions or configuration changes may necessitate a restart or reload of the Keycloak service, which could temporarily affect its availability.