CVE-2026-3009

Опубликовано: 05 мар. 2026

Источник: nvd

CVSS3: 8.1

EPSS Низкий

Описание

A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.

Ссылки

https://access.redhat.com/errata/RHSA-2026:3947
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:3948
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-3009
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2441867
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*

cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:*:*:*:*

cpe:2.3:a:redhat:build_of_keycloak:26.4.10:*:*:*:*:*:*:*

cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*

cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*

EPSS

Процентиль: 8%

0.00028

Низкий

8.1 High

CVSS3

8.1 High

CVSS3

Дефекты

CWE-285

CWE-863

Связанные уязвимости

CVE-2026-3009

CVSS3: 8.1

redhat

22 дня назад

CVE-2026-3009

CVSS3: 8.1

debian

22 дня назад

A security flaw in the IdentityBrokerService.performLogin endpoint of ...

GHSA-m297-3jv9-m927

CVSS3: 8.1

github

22 дня назад

Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator

EPSS

Процентиль: 8%

0.00028

Низкий

8.1 High

CVSS3

8.1 High

CVSS3

Дефекты

CWE-285

CWE-863