CVE-2026-3009
Last modified
CVE-2026-3009 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. EPSS estimates a 0.33% chance of exploitation in the next 30 days.
Description
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Build Of Keycloak | All versions |
| Redhat | Build Of Keycloak | 26.4 |
| Redhat | Build Of Keycloak | 26.4.10 |
| Redhat | Jboss Enterprise Application Platform | 8.0 |
| Redhat | Jboss Enterprise Application Platform Expansion Pack | All versions |
| Redhat | Single Sign-On | 7.0 |
References
- https://access.redhat.com/errata/RHSA-2026:3947Vendor Advisory
- https://access.redhat.com/errata/RHSA-2026:3948Vendor Advisory
- https://access.redhat.com/security/cve/CVE-2026-3009Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2441867Issue Tracking, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2026-3009?
How severe is CVE-2026-3009?
How do I fix CVE-2026-3009?
Are you affected by CVE-2026-3009?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST