CVE-2026-1190: Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods

January 26, 2026 (updated January 27, 2026)

A flaw was found in Keycloak’s SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the NotOnOrAfter timestamp within the SubjectConfirmationData. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.

References

access.redhat.com/security/cve/CVE-2026-1190
bugzilla.redhat.com/show_bug.cgi?id=2430835
github.com/advisories/GHSA-63v5-26vq-m4vm
github.com/keycloak/keycloak
github.com/keycloak/keycloak/issues/45646
nvd.nist.gov/vuln/detail/CVE-2026-1190

Code Behaviors & Features

Detect and mitigate CVE-2026-1190 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →