Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.1

Keycloak: Authentication bypass using disabled Identity Provider

CVE-2026-3009 GHSA-m297-3jv9-m927 GHSA-m297-3jv9-m927
Summary

An attacker with knowledge of the Identity Provider alias can bypass administrative restrictions on a disabled external provider, allowing unauthorized access to Keycloak. This can happen if a login request was generated before the provider was disabled. To protect your system, ensure that administrators promptly remove or update login requests after disabling an Identity Provider.

What to do
  • Update keycloak org.keycloak:keycloak-services to version 26.5.5.
Affected software
VendorProductAffected versionsFix available
keycloak org.keycloak:keycloak-services <= 26.5.5 26.5.5
redhat build_of_keycloak All versions
redhat build_of_keycloak 26.4
redhat build_of_keycloak 26.4.10
redhat jboss_enterprise_application_platform 8.0
redhat jboss_enterprise_application_platform_expansion_pack All versions
redhat single_sign-on 7.0
Original title
Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator
Original description
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
nvd CVSS3.1 8.1
Vulnerability type
CWE-285 Improper Authorization
CWE-863 Incorrect Authorization
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026