CVE-2026-2603: A flaw was found in Keycloak. A remote attacker could

A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication.

• EPSS 0.2% (45.5% percentile)
• CVSS 8.1 high

Related briefings

• CVE-2026-3009 and CVE-2026-3047: Keycloak Authentication Bypass via Disabled Identity Providers and SAML Broker 2026-03-05

Browse the CVE database

Read the full analysis on IntelFusions