CVE-2026-2092 Overview
A security vulnerability has been identified in Keycloak's Security Assertion Markup Language (SAML) broker endpoint. The flaw exists because the endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this weakness by crafting a malicious SAML response, allowing them to inject an encrypted assertion for an arbitrary principal. This can lead to unauthorized access and potential information disclosure in affected Keycloak deployments.
Critical Impact
Attackers with a valid signed SAML assertion can bypass authentication controls and gain unauthorized access by injecting encrypted assertions for arbitrary users, potentially compromising identity federation and single sign-on implementations.
Affected Products
- Keycloak (specific versions not disclosed in CVE data)
- Red Hat Single Sign-On (related advisory RHSA-2026:3925)
- Red Hat Build of Keycloak (related advisories RHSA-2026:3926, RHSA-2026:3947, RHSA-2026:3948)
Discovery Timeline
- 2026-03-18 - CVE-2026-2092 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-2092
Vulnerability Analysis
This vulnerability affects Keycloak's SAML broker functionality, which enables federated identity management by allowing Keycloak to act as an identity broker between SAML identity providers and service providers. The core issue stems from improper validation of encrypted SAML assertions when the enclosing SAML response lacks a signature.
In a properly secured SAML flow, both the overall response and individual assertions should be validated to ensure integrity and authenticity. However, Keycloak's implementation fails to adequately verify encrypted assertions in scenarios where the SAML response itself is unsigned. This creates a window of opportunity for an attacker who possesses a legitimately signed SAML assertion to craft a malicious response containing an encrypted assertion for a different user principal.
The vulnerability is classified under CWE-1287 (Improper Validation of Specified Type of Input), as the system fails to properly validate the cryptographic binding between the response and its contained assertions. The attack requires network access and low-privilege authentication (a valid signed assertion), but can affect resources beyond the vulnerable component's security scope, potentially compromising the entire identity federation infrastructure.
Root Cause
The root cause of CVE-2026-2092 lies in the incomplete validation logic within Keycloak's SAML broker endpoint. Specifically, the code path handling encrypted assertions does not enforce signature verification on the enclosing SAML response when processing encrypted elements. This oversight allows an attacker to substitute or inject encrypted assertions without proper cryptographic verification of the overall message integrity.
The vulnerability reflects a common pitfall in SAML implementations where the relationship between response-level and assertion-level security controls is not properly enforced. While individual assertions may be signed, the lack of response signature validation creates an opportunity for assertion substitution attacks.
Attack Vector
The attack leverages the network-accessible SAML broker endpoint and requires the attacker to possess a valid signed SAML assertion, which could be obtained through legitimate access to an identity provider or through other means. The attacker then constructs a malicious SAML response that:
- Does not include a response-level signature (bypassing response integrity checks)
- Contains the attacker's valid signed assertion (to pass initial validation)
- Includes an encrypted assertion claiming a different principal identity
When Keycloak processes this crafted response, it accepts the encrypted assertion without properly verifying that it belongs to the authenticated principal, allowing the attacker to assume the identity of an arbitrary user. This technique is a variant of SAML assertion injection that specifically targets the handling of encrypted elements in unsigned responses.
Detection Methods for CVE-2026-2092
Indicators of Compromise
- Unusual SAML authentication events where the authenticated user principal differs from expected patterns
- SAML responses processed without response-level signatures containing encrypted assertions
- Authentication logs showing users accessing resources they typically don't use or at unusual times
- Multiple authentication attempts using the same base assertion with different encrypted assertion payloads
Detection Strategies
- Monitor Keycloak authentication logs for SAML broker events involving unsigned responses with encrypted assertions
- Implement SIEM rules to detect anomalous principal changes during SAML authentication flows
- Audit user session creation events for inconsistencies between claimed identity and assertion source
- Review SAML debug logs for mismatches between assertion signer identity and encrypted assertion subject
Monitoring Recommendations
- Enable verbose SAML logging in Keycloak to capture detailed assertion processing information
- Configure alerting for authentication events involving the SAML broker endpoint with high-privilege accounts
- Implement session monitoring to detect sudden changes in user behavior patterns post-authentication
- Track SAML IdP source correlation to identify assertion injection attempts
How to Mitigate CVE-2026-2092
Immediate Actions Required
- Apply the latest security patches from Red Hat by referencing the published security advisories
- Configure SAML identity providers to always sign SAML responses in addition to assertions
- Audit existing SAML federation configurations to ensure signature requirements are enforced
- Review recent authentication logs for potential exploitation attempts
Patch Information
Red Hat has released security advisories addressing this vulnerability. Organizations using affected Keycloak or Red Hat Single Sign-On products should apply the relevant patches:
- Red Hat Security Advisory RHSA-2026:3925
- Red Hat Security Advisory RHSA-2026:3926
- Red Hat Security Advisory RHSA-2026:3947
- Red Hat Security Advisory RHSA-2026:3948
Additional details are available in the Red Hat CVE Analysis for CVE-2026-2092 and Red Hat Bug Report #2437296.
Workarounds
- Configure SAML identity provider broker settings to require signed SAML responses (not just signed assertions)
- Implement network-level access controls to restrict access to the SAML broker endpoint
- Enable strict validation mode for SAML processing if available in your Keycloak version
- Consider temporarily disabling encrypted assertion processing if not required for your federation use cases
# Example: Keycloak SAML realm configuration to enforce response signatures
# Navigate to your Identity Provider settings and ensure signature validation
# is enabled for both responses and assertions
# Via Keycloak Admin CLI, verify signature requirements:
kcadm.sh get identity-provider/instances/your-saml-idp \
-r your-realm \
--fields config
# Ensure these configuration values are set:
# "validateSignature": "true"
# "wantAssertionsSigned": "true"
# "wantAuthnRequestsSigned": "true"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
