← back
CVE-2026-3009

Org.keycloak/keycloak-services: improper enforcement of disabled identity provider in identitybrokerservice (authentication bypass)

CVSS 8.1 HIGHEPSS 0.3%CWE-863
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.1EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
05 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →