CVE-2026-2092: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
A flaw was found in Keycloak. Keycloak’s Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.
References
- access.redhat.com/errata/RHSA-2026:3925
- access.redhat.com/errata/RHSA-2026:3926
- access.redhat.com/errata/RHSA-2026:3947
- access.redhat.com/errata/RHSA-2026:3948
- access.redhat.com/security/cve/CVE-2026-2092
- bugzilla.redhat.com/show_bug.cgi?id=2437296
- github.com/advisories/GHSA-wmxr-6j5f-838p
- github.com/keycloak/keycloak
- github.com/keycloak/keycloak/commit/b40a25908d937bb0563ea516487bc2c7c1d92508
- nvd.nist.gov/vuln/detail/CVE-2026-2092
Code Behaviors & Features
Detect and mitigate CVE-2026-2092 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →