Main Vulnerability Database Vulnerabilities #VU133121

Improper Validation of Specified Type of Input in Keycloak - CVE-2026-2092

Published: June 1, 2026

Vulnerability identifier: #VU133121

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-2092

CWE-ID: CWE-1287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Keycloak

Affected software:
Keycloak

Detailed vulnerability description

The vulnerability allows a remote user to gain unauthorized access and disclose sensitive information.

The vulnerability exists due to improper validation of specified type of input in the SAML broker endpoint when processing encrypted assertions in an unsigned SAML response. A remote user can craft a malicious SAML response containing an encrypted assertion for an arbitrary principal to gain unauthorized access and disclose sensitive information.

Exploitation requires a valid signed SAML assertion.

How to mitigate CVE-2026-2092

Install security update from vendor's website.

Sources

https://github.com/keycloak/keycloak/security/advisories/GHSA-794g-x443-36f7

Improper Validation of Specified Type of Input in Keycloak - CVE-2026-2092

Detailed vulnerability description

How to mitigate CVE-2026-2092

Sources

Please verify you're human