VulnerableCode Package Details - pkg:maven/org.keycloak/keycloak-saml-core@26.5.5

Search for packages

Vulnerability	Summary	Fixed by
VCID-tc9b-zzjt-63c7 Aliases: CVE-2026-2092 GHSA-wmxr-6j5f-838p	Keycloak: Unauthorized access via improper validation of encrypted SAML assertions A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-tc9b-zzjt-63c7
Aliases:
CVE-2026-2092
GHSA-wmxr-6j5f-838p

Keycloak: Unauthorized access via improper validation of encrypted SAML assertions A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
VCID-tc9b-zzjt-63c7	Keycloak: Unauthorized access via improper validation of encrypted SAML assertions A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure.	CVE-2026-2092 GHSA-wmxr-6j5f-838p

Vulnerability

Summary

Aliases

VCID-tc9b-zzjt-63c7

CVE-2026-2092
GHSA-wmxr-6j5f-838p

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-29T23:28:18.971337+00:00	GitLab Importer	Fixing	VCID-tc9b-zzjt-63c7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/CVE-2026-2092.yml	38.5.0
2026-04-18T04:14:59.129947+00:00	GitLab Importer	Fixing	VCID-tc9b-zzjt-63c7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-saml-core/CVE-2026-2092.yml	38.4.0
2026-04-10T08:16:41.191711+00:00	GHSA Importer	Fixing	VCID-tc9b-zzjt-63c7	https://github.com/advisories/GHSA-wmxr-6j5f-838p	38.1.0
2026-04-09T22:49:51.851308+00:00	GithubOSV Importer	Fixing	VCID-tc9b-zzjt-63c7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wmxr-6j5f-838p/GHSA-wmxr-6j5f-838p.json	38.1.0
2026-04-02T17:01:12.583824+00:00	GHSA Importer	Affected by	VCID-tc9b-zzjt-63c7	https://github.com/advisories/GHSA-wmxr-6j5f-838p	38.1.0