anonhaven
Ad

CVE-2026-3009

HIGH CVSS 3.1: 8.1 EPSS 0.06%
Updated Mar 05, 2026
Keycloak
Parameter Value
CVSS 8.1 (HIGH)
Type CWE-285 (Improper Authorization)
Vendor Keycloak
Public PoC No

A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-285 Improper Authorization

References 4

https://access.redhat.com/errata/RHSA-2026:3947
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2026:3948
secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2026-3009
secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2441867
secalert@redhat.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-3429

Keycloak

4.2

CVE-2026-3911

Keycloak

2.7

CVE-2026-30949

Keycloak

7.6

CVE-2026-3047

Keycloak

8.8

CVE-2025-12150

Keycloak

3.1