Denial of Service Vulnerability in Keycloak by Red Hat
CVE-2026-2575

5.3MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.10
Vendor
CVE Published:
18 March 2026

What is CVE-2026-2575?

A security flaw exists in Keycloak that allows an unauthenticated remote attacker to exploit an application-level Denial of Service (DoS) by sending a specially crafted SAMLRequest. The vulnerability arises due to the server's failure to impose size limits during DEFLATE decompression, which may result in an OutOfMemoryError (OOM). This situation can lead to the termination of the Keycloak process, effectively disrupting service availability and impacting users. It is crucial for organizations using Keycloak to implement the latest patches to mitigate this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Red Hat build of Keycloak 26.4 26.4.10-1

Red Hat build of Keycloak 26.4 26.4-12

Red Hat build of Keycloak 26.4 26.4-12

References

https://access.redhat.com/errata/RHSA-2026:3947
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:3948
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-2575
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Sho Odagiri (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.
JSON
.