CVE-2026-9794 MEDIUM

CVE-2026-9794: Keycloak: keycloak: information disclosure via saml ecp endpoint

Vendor Red Hat
Product Red Hat build of Keycloak 26.6.3
Weakness CWE-209 · Error message info leak
Published May 28, 2026
Last update June 10, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
June 10, 2026 Record updated