CVE-2026-7307 Overview
A denial of service flaw exists in Keycloak, the open source identity and access management solution. A remote, unauthenticated attacker can send specially crafted Extensible Markup Language (XML) input to the Security Assertion Markup Language (SAML) endpoint. The malicious payload triggers high CPU consumption and exhausts worker threads, rendering the Keycloak server unavailable to legitimate users.
The vulnerability is tracked as [CWE-1286] (Improper Validation of Syntactic Correctness of Input) and impacts authentication services that rely on Keycloak for single sign-on.
Critical Impact
Unauthenticated remote attackers can disrupt identity and access management services, breaking single sign-on (SSO) federation for all downstream applications relying on the affected Keycloak instance.
Affected Products
- Red Hat Build of Keycloak (see Red Hat Security Advisory RHSA-2026:19594)
- Red Hat Single Sign-On / Keycloak distributions covered by RHSA-2026:19595, RHSA-2026:19596, and RHSA-2026:19597
- Upstream Keycloak deployments exposing SAML endpoints
Discovery Timeline
- 2026-05-19 - CVE-2026-7307 published to the National Vulnerability Database (NVD)
- 2026-05-20 - Last updated in the NVD database
Technical Details for CVE-2026-7307
Vulnerability Analysis
The flaw resides in how Keycloak parses inbound SAML protocol messages. SAML relies on XML-based assertions exchanged between identity providers and service providers. When Keycloak receives a malformed or pathologically structured XML document at its SAML endpoint, the parser enters an expensive processing path. CPU utilization spikes and worker threads remain blocked while attempting to process the input.
Because the application server has a finite worker thread pool, repeated requests rapidly consume all available threads. Once exhausted, the server cannot accept new requests, including legitimate authentication flows. Any application federated through the affected Keycloak instance loses access to its identity provider.
Root Cause
The root cause is improper validation of syntactic correctness of input [CWE-1286] in the SAML message processing pipeline. The XML parser does not enforce sufficient structural or resource boundaries on incoming documents before committing computational resources to parsing them.
Attack Vector
Exploitation requires only network reachability to the Keycloak SAML endpoint. The attacker does not need credentials or user interaction. An attacker crafts an XML document designed to trigger expensive parsing operations and submits it through standard HTTP POST requests to the SAML binding endpoint. Repeating the request from one or more sources amplifies thread starvation.
No verified public proof-of-concept code is currently available. Refer to the Red Hat CVE-2026-7307 Details and Red Hat Bug Report #2476526 for vendor analysis.
Detection Methods for CVE-2026-7307
Indicators of Compromise
- Sustained CPU saturation on Keycloak server processes with no corresponding increase in legitimate authentication volume
- Worker thread pool exhaustion warnings in Keycloak or underlying WildFly/Quarkus runtime logs
- HTTP 503 or connection timeout responses returned by the SAML endpoint to legitimate identity federation traffic
- Repeated POST requests to SAML binding URIs (/realms/{realm}/protocol/saml) from a small set of source addresses
Detection Strategies
- Inspect web application firewall (WAF) and reverse proxy logs for anomalous request rates targeting SAML endpoints
- Monitor XML payload size distribution and parsing latency metrics emitted by Keycloak
- Correlate authentication failure spikes with thread pool and CPU telemetry to distinguish DoS from credential attacks
Monitoring Recommendations
- Alert on Keycloak JVM CPU utilization sustained above baseline for more than several minutes
- Track worker thread pool saturation and request queue depth as first-class SLO metrics
- Forward Keycloak access logs and runtime metrics to a centralized SIEM for correlation with network-layer telemetry
How to Mitigate CVE-2026-7307
Immediate Actions Required
- Apply the Red Hat security updates referenced in RHSA-2026:19594, RHSA-2026:19595, RHSA-2026:19596, and RHSA-2026:19597 as soon as maintenance windows permit
- Restrict network exposure of SAML endpoints to known identity federation partners using firewall or reverse proxy ACLs
- Place rate limiting in front of /realms/*/protocol/saml paths to blunt request floods
Patch Information
Red Hat has shipped fixed Keycloak packages through advisories RHSA-2026:19594, RHSA-2026:19595, RHSA-2026:19596, and RHSA-2026:19597. Administrators running upstream Keycloak should upgrade to the corresponding fixed release as documented in the Red Hat CVE-2026-7307 Details page.
Workarounds
- Enforce request size limits on the reverse proxy fronting Keycloak to reject oversized XML payloads before they reach the application
- Configure per-source rate limits and connection caps for SAML binding URLs
- Disable SAML protocol support on realms that exclusively use OpenID Connect until patches are applied
# Example NGINX configuration to rate limit and size limit SAML traffic
limit_req_zone $binary_remote_addr zone=saml_rl:10m rate=10r/s;
server {
listen 443 ssl;
server_name sso.example.com;
client_max_body_size 256k;
location ~ ^/realms/.+/protocol/saml {
limit_req zone=saml_rl burst=20 nodelay;
proxy_pass http://keycloak_upstream;
proxy_read_timeout 15s;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
