CVE-2026-3009 Overview
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
Critical Impact
Attackers can bypass administrative controls by exploiting disabled Identity Providers, potentially gaining unauthorized access to protected resources through authentication mechanisms that should no longer be available.
Affected Products
- Keycloak Identity and Access Management Platform
- Red Hat Single Sign-On (products covered by RHSA-2026:3947)
- Red Hat Single Sign-On (products covered by RHSA-2026:3948)
Discovery Timeline
- 2026-03-05 - CVE-2026-3009 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-3009
Vulnerability Analysis
This vulnerability is classified under CWE-285 (Improper Authorization), which occurs when software does not properly perform access control checks. In this case, Keycloak's IdentityBrokerService fails to validate whether an Identity Provider is still enabled when processing authentication requests that were generated prior to the IdP being disabled.
The flaw allows an attacker to circumvent administrative decisions to disable external authentication providers. When an administrator disables an IdP, any previously generated authentication requests referencing that IdP should become invalid. However, the vulnerable implementation continues to process these requests, allowing authentication to succeed through the disabled provider.
The attack is network-accessible and requires low privileges to execute, but does not require user interaction. Successful exploitation can compromise both confidentiality and integrity of the affected system, as unauthorized users may gain access to protected resources.
Root Cause
The root cause lies in insufficient validation within the IdentityBrokerService.performLogin endpoint. When processing an authentication request, the service fails to verify the current enabled/disabled status of the referenced Identity Provider at the time of authentication execution. Instead, it relies on the validity of the request itself, which was generated when the IdP was still enabled.
This represents a Time-of-Check Time-of-Use (TOCTOU) design flaw where the authorization state checked during request generation differs from the state at request execution time. The IdP alias embedded in the login request continues to function even after administrative changes have been made to disable that provider.
Attack Vector
The attack requires knowledge of a valid IdP alias that was previously configured in the Keycloak instance. An attacker can exploit this vulnerability through the following mechanism:
- The attacker obtains or generates a valid login request URL containing the alias of a target Identity Provider while it is still enabled
- The administrator subsequently disables the Identity Provider for security or policy reasons
- The attacker uses the previously captured login request to initiate authentication
- The IdentityBrokerService.performLogin endpoint processes the request without validating the current IdP status
- Authentication proceeds through the disabled provider, bypassing administrative restrictions
This attack bypasses the intended security control that disabling an IdP should prevent all future authentications through that provider. The vulnerability is particularly concerning in scenarios where IdPs are disabled due to security incidents or trust revocations with external identity providers.
Detection Methods for CVE-2026-3009
Indicators of Compromise
- Authentication events logged against Identity Providers that are currently marked as disabled in Keycloak configuration
- Unusual login activity patterns showing successful authentications via IdP aliases that should be inactive
- Login requests containing IdP aliases that do not match the list of currently enabled providers
- Audit log entries showing authentication broker activity for disabled external providers
Detection Strategies
- Monitor Keycloak authentication logs for successful logins via IdP aliases that are currently disabled in the realm configuration
- Implement real-time correlation between IdP configuration changes and subsequent authentication attempts against those providers
- Create alerts for authentication requests containing IdP aliases that have been recently disabled
- Review audit trails for patterns of login requests that reference disabled Identity Providers
Monitoring Recommendations
- Enable detailed audit logging for all IdentityBrokerService operations in Keycloak
- Configure SIEM rules to correlate IdP disable events with subsequent authentication attempts using those providers
- Implement periodic reconciliation between enabled IdP configurations and authentication activity logs
- Monitor for reconnaissance activity attempting to enumerate valid IdP aliases
How to Mitigate CVE-2026-3009
Immediate Actions Required
- Apply the security patches provided in Red Hat Security Advisory RHSA-2026:3947 and RHSA-2026:3948
- Review authentication logs for any evidence of exploitation against recently disabled Identity Providers
- Audit all currently disabled IdPs and consider removing their configurations entirely if they are no longer needed
- Invalidate any existing sessions that may have been established through disabled IdP authentication
Patch Information
Red Hat has released security advisories addressing this vulnerability. Organizations running affected versions of Keycloak or Red Hat Single Sign-On should apply the patches immediately:
- RHSA-2026:3947 - Red Hat Security Advisory
- RHSA-2026:3948 - Red Hat Security Advisory
For additional technical details, refer to Red Hat's CVE analysis and Bug Report #2441867.
Workarounds
- Instead of disabling Identity Providers, delete their configurations entirely when they are no longer needed
- Implement additional network-level access controls to restrict access to the Keycloak authentication endpoints
- Use authentication policies to require additional verification steps for IdP-based logins
- Consider implementing a custom authentication flow that explicitly validates IdP status before proceeding with authentication
# Configuration example
# Remove disabled IdPs from Keycloak realm configuration via CLI
# Replace <realm-name> and <idp-alias> with appropriate values
# List all Identity Providers in a realm
/opt/keycloak/bin/kcadm.sh get identity-provider/instances -r <realm-name>
# Delete a disabled Identity Provider entirely (recommended workaround)
/opt/keycloak/bin/kcadm.sh delete identity-provider/instances/<idp-alias> -r <realm-name>
# Verify the IdP has been removed
/opt/keycloak/bin/kcadm.sh get identity-provider/instances -r <realm-name>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
