Security Flaw in Keycloak's IdentityBrokerService Allows Unauthorized Authentication
CVE-2026-3009

8.1HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.10
Red Hat Jboss Enterprise Application Platform 8
Red Hat Jboss Enterprise Application Platform Expansion Pack
Vendor
CVE Published:
5 March 2026

What is CVE-2026-3009?

A security flaw exists in Keycloak's IdentityBrokerService.performLogin endpoint, which allows the authentication process through a disabled Identity Provider (IdP). Admins disabling an IdP do not prevent an attacker, possessing knowledge of the IdP alias, from leveraging a previously generated login request, enabling them to bypass access control measures. This vulnerability compromises the integrity of authentication workflows, potentially allowing unauthorized entities to gain access through external providers that administrators have disabled.

Affected Version(s)

Red Hat build of Keycloak 26.4 26.4.10-1

Red Hat build of Keycloak 26.4 26.4-12

Red Hat build of Keycloak 26.4 26.4-12

References

https://access.redhat.com/errata/RHSA-2026:3947
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:3948
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-3009
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.