Vulnerability Description
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Build Of Keycloak | - |
| Redhat | Jboss Enterprise Application Platform | 8.0 |
| Redhat | Jboss Enterprise Application Platform Expansion Pack | - |
| Redhat | Single Sign-On | 7.0 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2026:3947Vendor Advisory
- https://access.redhat.com/errata/RHSA-2026:3948Vendor Advisory
- https://access.redhat.com/security/cve/CVE-2026-3009Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2441867Issue TrackingVendor Advisory
FAQ
What is CVE-2026-3009?
CVE-2026-3009 is a vulnerability with a CVSS score of 8.1 (HIGH). A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An...
How severe is CVE-2026-3009?
CVE-2026-3009 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-3009?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Build Of Keycloak, Redhat Jboss Enterprise Application Platform, Redhat Jboss Enterprise Application Platform Expansion Pack, Redhat Single Sign-On.