Keycloak
26.5.5SecurityKeycloak 26.5.5 is a critical security release addressing four SAML broker vulnerabilities that could allow authentication bypass and unauthorized access in production environments.
securityImmediate upgrade required for SAML users
These CVEs affect SAML broker configurations and could allow authentication bypass. If you use SAML identity providers or broker functionality, schedule emergency maintenance to upgrade immediately. Review your disabled SAML providers to ensure they're properly secured post-upgrade.
securityAudit SAML broker configurations
After upgrading, verify that disabled SAML identity providers are truly disabled and cannot process authentication requests. Check your IdP-initiated login flows and ensure encryption is working correctly for SAML assertions.
主な変更 (4)
- Fixed CVE-2026-3047: SAML broker authentication bypass when disabled client completes IdP-initiated login
- Resolved CVE-2026-3009: Improper enforcement of disabled identity providers in broker service
- Patched CVE-2026-2603: Disabled SAML IdPs incorrectly allowing IdP-initiated logins
- Secured CVE-2026-2092: SAML broker encrypted assertion injection vulnerability