CVE-2026-9794: Keycloak Information Disclosure Vulnerability

CVE-2026-9794 Overview

CVE-2026-9794 is an information disclosure vulnerability in Keycloak's Security Assertion Markup Language Enhanced Client or Proxy (SAML ECP) endpoint. A remote, unauthenticated attacker can send specially crafted Simple Object Access Protocol (SOAP) requests with varying client IDs. The endpoint returns distinct faultstring values depending on the client's configured protocol type. Attackers can use these differences to enumerate clients and identify their protocol types. The flaw is classified under CWE-209: Generation of Error Message Containing Sensitive Information.

Critical Impact

Unauthenticated attackers can enumerate Keycloak clients and identify their protocol types by observing differing SOAP fault messages, exposing identity infrastructure metadata useful for follow-on attacks.

Affected Products

• Red Hat Keycloak (see vendor advisory for affected versions)
• Red Hat Single Sign-On / Red Hat Build of Keycloak deployments exposing the SAML ECP endpoint
• Upstream Keycloak instances with SAML ECP enabled

Discovery Timeline

• 2026-05-28 - CVE-2026-9794 published to the National Vulnerability Database (NVD)
• 2026-05-28 - Last updated in NVD database

Technical Details for CVE-2026-9794

Vulnerability Analysis

The vulnerability resides in how the Keycloak SAML ECP endpoint constructs SOAP fault responses. When a client receives a SOAP request referencing a client ID, Keycloak returns a SOAP fault message. The faultstring content differs based on whether the referenced client is configured for SAML, OpenID Connect, or does not exist. An unauthenticated attacker can iterate through candidate client IDs and classify each one based on the response. This turns a verbose error-handling path into a reliable enumeration oracle. The disclosed information assists adversaries in mapping the identity provider configuration before attempting authentication or federation abuse.

Root Cause

The root cause is improper error message handling [CWE-209]. The SAML ECP endpoint reflects internal protocol state into client-visible fault messages instead of returning a uniform error. Distinguishable responses for valid SAML clients, valid non-SAML clients, and unknown clients leak metadata that should remain internal to the authorization server.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker issues crafted SOAP POST requests to the SAML ECP endpoint, supplying different client identifiers in each request. By parsing the faultstring element from each SOAP fault response, the attacker classifies clients and infers their configured protocol. The technique scales easily through scripted enumeration against any internet-reachable Keycloak instance with SAML ECP enabled.

No verified public exploit code is available. See the Red Hat CVE-2026-9794 Advisory and the Red Hat Bug Report #2482461 for vendor technical details.

Detection Methods for CVE-2026-9794

Indicators of Compromise

• High volumes of unauthenticated SOAP POST requests to the SAML ECP endpoint (typically under /realms/{realm}/protocol/saml) from a single source.
• Sequential or dictionary-style variation of client ID values within SOAP envelopes sent to the ECP endpoint.
• Spikes in SOAP fault responses generated by Keycloak with varying faultstring content.

Detection Strategies

• Inspect Keycloak access logs for repeated requests to the SAML ECP endpoint with differing client ID parameters and no successful authentication.
• Correlate web application firewall (WAF) telemetry for SOAP envelopes targeting /protocol/saml paths from non-federated source addresses.
• Alert on rates of SOAP 500-class fault responses from Keycloak that exceed normal federation traffic baselines.

Monitoring Recommendations

• Forward Keycloak event logs and reverse proxy access logs to a centralized analytics platform for behavioral baselining of SAML endpoints.
• Track per-source-IP request rates against authentication endpoints and rate-limit clients exceeding expected federation volumes.
• Monitor for reconnaissance patterns that pair client ID enumeration with subsequent authentication or token endpoint requests.

How to Mitigate CVE-2026-9794

Immediate Actions Required

• Apply the Keycloak update referenced in the Red Hat CVE-2026-9794 Advisory as soon as it is available for your distribution.
• Restrict network exposure of the SAML ECP endpoint to known federation partners using firewall or reverse proxy access controls.
• Audit configured Keycloak clients and remove unused or legacy clients that increase the enumeration surface.

Patch Information

Refer to the Red Hat CVE-2026-9794 Advisory and the Red Hat Bug Report #2482461 for fixed versions, errata, and package details across Red Hat Build of Keycloak and Red Hat Single Sign-On. Upstream Keycloak users should track the corresponding release notes for the equivalent fix.

Workarounds

• Disable the SAML ECP profile on realms that do not require it, removing the vulnerable endpoint from the attack surface.
• Place Keycloak behind a reverse proxy or WAF that rate-limits unauthenticated requests to /protocol/saml and blocks repetitive client ID enumeration patterns.
• Restrict access to the SAML endpoint by source IP allow-listing where federation partners are known and static.

# Example: block unauthenticated SAML ECP access at an NGINX reverse proxy
location ~ ^/realms/[^/]+/protocol/saml {
    allow 203.0.113.0/24;   # known federation partner range
    deny all;
    limit_req zone=saml_ecp burst=5 nodelay;
    proxy_pass http://keycloak_upstream;
}