Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Updates for 26.2.14

This release contains several fixed issues and changes related to upgrading. For details, see the Upgrading Guide.

5.1. CVE fixes
Copy link

  • CVE-2026-3047 A SAML client marked Disabled in the broker realm still completes IdP-initiated broker login and creates a realm SSO session.
  • CVE-2026-3009 Improper Authorization vulnerability. The flaw occurs because the broker login endpoint does not re-validate the enabled/disabled status of the configured Identity Provider (IdP) at the time of login processing.
  • CVE-2026-2603 A SAML Identity Provider that is disabled in the broker realm can still complete IdP‑initiated broker logins.
  • CVE-2026-2092 Unauthorized access via improper validation of encrypted SAML assertions. Keycloak validates that plaintext <Assertion> elements are signed when the response root is not signed, but it does not apply the same binding requirement to <EncryptedAssertion>.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top