Bug 2430835 (CVE-2026-1190) - CVE-2026-1190 org.keycloak/keycloak-services: Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData
Summary: CVE-2026-1190 org.keycloak/keycloak-services: Keycloak SAML brokering: Respon...
Keywords:
Status: NEW
Alias: CVE-2026-1190
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-19 13:42 UTC by OSIDB Bzimport
Modified: 2026-01-19 13:49 UTC (History)
27 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-19 13:42:25 UTC 
When SAML is configured to act as a client (SAML brokering) it does not check the NotOnOrAfter tat is defined inside the SubjectConfirmationData. This just affects in the sense that an attacker can delay the response for more of the expected time. The response cannot be tampered because SAML should configured to be signed and, therefore, the same response cannot be used twice or to respond another request (the id should be modified and therefore the signature validation fails).

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="http://localhost:8080/realms/master/broker/saml/endpoint" ID="ID_9e3417cd-0c39-449b-bdaa-50876264d109" InResponseTo="ID_b99bc864-e89c-4243-adbb-56898a2143b7" IssueInstant="2026-01-12T17:17:13.922Z" Version="2.0">
    <saml:Issuer>http://localhost:8080/realms/saml</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_479728b1-b612-46c4-8a3a-f0dbff4409af" IssueInstant="2026-01-12T17:17:13.919Z" Version="2.0">
        <saml:Issuer>http://localhost:8080/realms/saml</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">samluser</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="ID_b99bc864-e89c-4243-adbb-56898a2143b7" NotOnOrAfter="2026-01-12T17:22:11.919Z" Recipient="http://localhost:8080/realms/master/broker/saml/endpoint"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2026-01-12T17:17:11.919Z" NotOnOrAfter="2026-01-12T17:18:11.919Z">
            <saml:AudienceRestriction>
                <saml:Audience>http://localhost:8080/realms/master</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2026-01-12T17:17:13.922Z" SessionIndex="9RdZsk9oqv5JK9aWfX5d1saN::9ad854a5-b6fc-4402-9e2c-7b96411af415" SessionNotOnOrAfter="2026-01-13T03:17:13.922Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute FriendlyName="email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">samluser</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute FriendlyName="firstName" Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">samluser</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute FriendlyName="lastName" Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">samluser</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

The NotOnOrAfter in the conditions are checked OK but the one in SubjectConfirmationData is not checked. The idea is that keycloak should also check the NotBefore and NotOnOrAfter in that element too just in case (maybe the IdP just use that data).
Note You need to log in before you can comment on or make changes to this bug.