2441966 – (CVE-2026-3047) CVE-2026-3047 org.keycloak.broker.saml: Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login

Bug 2441966 (CVE-2026-3047) - CVE-2026-3047 org.keycloak.broker.saml: Keycloak SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login

Summary: CVE-2026-3047 org.keycloak.broker.saml: Keycloak SAML broker: Authentication ...

Keywords:
Status:	NEW
Alias:	CVE-2026-3047
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-23 17:33 UTC by OSIDB Bzimport
Modified:	2026-03-05 14:25 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-23 17:33:20 UTC

A SAML client marked Disabled in the broker realm still completes IdP-initiated broker login and creates a realm SSO session. Even though the target SAML client is disabled, the user gains a valid Keycloak session and can access other enabled clients without re-authentication.
Requirements to exploit

The Keycloak instance must have a disabled SAML client configured as an IdP-initiated broker landing target. The user must also exist in the external IdP.

Note You need to log in before you can comment on or make changes to this bug.