CVE-2026-3009 HIGH

CVE-2026-3009: Org.keycloak/keycloak-services: improper enforcement of disabled identity provider in identitybrokerservice (authentication bypass)

Vendor Red Hat
Product Red Hat build of Keycloak 26.4.10
Weakness CWE-863 · Incorrect authorization
Published March 5, 2026
Last update June 30, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.

Key dates

02Disclosure timeline

March 5, 2026 CVE published
June 30, 2026 Record updated