Listen to this Post
A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client’s protocol type, leading to information disclosure. The flaw exists because the endpoint returns different error messages depending on the type of client being targeted. An attacker can use this to map out the deployment’s client landscape, gaining insight into which applications or services are using SAML, OpenID Connect, or other protocols without any prior authentication. The attack can be performed over the network with low attack complexity, no required privileges, and no user interaction, as the only prerequisite is network access to the Keycloak SAML ECP endpoint. This information leak can serve as a precursor to more targeted attacks, as the attacker learns which specific endpoints are safe to target for other exploits. The vulnerability is currently unpatched, and the only mitigation is to restrict access to the SAML ECP endpoint or update Keycloak once a fix is available.
DailyCVE Form:
Platform: Red Hat Build Keycloak
Version: All versions vulnerable
Vulnerability: Information disclosure via SOAP
Severity: Medium (CVSS 5.3)
date: 2026-05-28
Prediction: 2026-06-15
What Undercode Say:
Analytics shows active scanning for Keycloak SAML endpoints. Use the following bash commands to test your own deployments:
Check if SAML ECP endpoint is accessible curl -k -X POST "https://keycloak.example.com/auth/realms/master/protocol/saml/clients" \ -H "Content-Type: text/xml" \ -d '<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_test1" Version="2.0"/></soap:Body></soap:Envelope>' Probe with varying client IDs for id in clientA clientB clientC; do curl -k -X POST "https://keycloak.example.com/auth/realms/master/protocol/saml/clients/$id" \ -H "Content-Type: text/xml" \ -d '<soap:Envelope>...<samlp:AuthnRequest ID="_test_'$id'"/></soap:Envelope>' \ 2>/dev/null | grep -i faultstring done
Exploit:
An attacker can use a simple script to enumerate client types by sending SOAP requests with different client IDs and analyzing the `faultstring` responses. For example, sending an `AuthnRequest` to a SAML-enabled client returns a `faultstring` indicating a protocol mismatch, while an OpenID Connect client returns a different error. By comparing the differences, the attacker builds a map of valid clients and their protocol types.
Protection:
Until a patch is released, restrict access to the `/auth/realms//protocol/saml/clients` endpoint by IP allowlisting, block the endpoint at the reverse proxy level, or disable the SAML ECP binding entirely. Update Keycloak to the latest version as soon as a fix is available, and monitor logs for anomalous SOAP requests to the SAML ECP endpoint.
Impact:
An unauthenticated attacker can enumerate client protocol types within a Keycloak realm, leading to information disclosure that may facilitate further targeted attacks. The vulnerability does not allow for token issuance or privilege escalation on its own, but the leaked information can be used to identify high-value targets or to craft more sophisticated exploits.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
