Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-28T03:15:43 keycloak: Keycloak: Information disclosure via SAML ECP endpoint 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CWE-209

A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure.

This Moderate-severity information disclosure flaw in Keycloak allows an unauthenticated, remote attacker to enumerate client protocol types. By sending specially crafted SOAP requests to the SAML ECP endpoint and analyzing the resulting faultstrings, an attacker can discern the protocol associated with different client IDs, aiding in further targeted attacks. Red Hat would like to thank Asaad Mostafa and Muhammed Hussein for reporting this issue. Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability. Red Hat Build of Keycloak Affected rhbk/keycloak-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-9794 https://nvd.nist.gov/vuln/detail/CVE-2026-9794