VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-xd7x-aevv-cfcp

Essentials
Severities (36)
References (12)
Severity details (22)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-xd7x-aevv-cfcp
Aliases	CVE-2026-2575 GHSA-xv6h-r36f-3gp5
Summary	Keycloak: Denial of Service due to excessive SAMLRequest decompression A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-409	Improper Handling of Highly Compressed Data (Data Amplification)
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	5.3	https://access.redhat.com/errata/RHSA-2026:3947
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2026:3947
ssvc	Track	https://access.redhat.com/errata/RHSA-2026:3947
cvssv3.1	5.3	https://access.redhat.com/errata/RHSA-2026:3948
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2026:3948
ssvc	Track	https://access.redhat.com/errata/RHSA-2026:3948
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2575.json
cvssv3.1	5.3	https://access.redhat.com/security/cve/CVE-2026-2575
generic_textual	MODERATE	https://access.redhat.com/security/cve/CVE-2026-2575
ssvc	Track	https://access.redhat.com/security/cve/CVE-2026-2575
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2026-2575
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2026-2575
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2026-2575
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2026-2575
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2026-2575
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2026-2575
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2026-2575
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2026-2575
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2026-2575
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2026-2575
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2026-2575
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2026-2575
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2026-2575
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2026-2575
cvssv3.1	5.3	https://bugzilla.redhat.com/show_bug.cgi?id=2440149
generic_textual	MODERATE	https://bugzilla.redhat.com/show_bug.cgi?id=2440149
ssvc	Track	https://bugzilla.redhat.com/show_bug.cgi?id=2440149
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-xv6h-r36f-3gp5
cvssv3.1	5.3	https://github.com/keycloak/keycloak
generic_textual	MODERATE	https://github.com/keycloak/keycloak
cvssv3.1	5.3	https://github.com/keycloak/keycloak/commit/4f90ef67f698dfb45df0d2f4981271a7c8b47f04
generic_textual	MODERATE	https://github.com/keycloak/keycloak/commit/4f90ef67f698dfb45df0d2f4981271a7c8b47f04
cvssv3.1	5.3	https://github.com/keycloak/keycloak/issues/46372
generic_textual	MODERATE	https://github.com/keycloak/keycloak/issues/46372
cvssv3.1	5.3	https://nvd.nist.gov/vuln/detail/CVE-2026-2575
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-2575

Reference id	Reference type	URL
		https://access.redhat.com/errata/RHSA-2026:3947
		https://access.redhat.com/errata/RHSA-2026:3948
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2575.json
		https://access.redhat.com/security/cve/CVE-2026-2575
		https://api.first.org/data/v1/epss?cve=CVE-2026-2575
		https://bugzilla.redhat.com/show_bug.cgi?id=2440149
		https://github.com/keycloak/keycloak
		https://github.com/keycloak/keycloak/commit/4f90ef67f698dfb45df0d2f4981271a7c8b47f04
		https://github.com/keycloak/keycloak/issues/46372
		https://nvd.nist.gov/vuln/detail/CVE-2026-2575
cpe:/a:redhat:build_keycloak:26.4::el9		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.4::el9
GHSA-xv6h-r36f-3gp5		https://github.com/advisories/GHSA-xv6h-r36f-3gp5

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/errata/RHSA-2026:3947

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T13:34:34Z/ Found at https://access.redhat.com/errata/RHSA-2026:3947

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/errata/RHSA-2026:3948

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T13:34:34Z/ Found at https://access.redhat.com/errata/RHSA-2026:3948

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2575.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/security/cve/CVE-2026-2575

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T13:34:34Z/ Found at https://access.redhat.com/security/cve/CVE-2026-2575

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://bugzilla.redhat.com/show_bug.cgi?id=2440149

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T13:34:34Z/ Found at https://bugzilla.redhat.com/show_bug.cgi?id=2440149

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/keycloak/keycloak

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/keycloak/keycloak/commit/4f90ef67f698dfb45df0d2f4981271a7c8b47f04

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/keycloak/keycloak/issues/46372

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2026-2575

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.08475
EPSS Score	0.0003
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:53:22.325538+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-xv6h-r36f-3gp5/GHSA-xv6h-r36f-3gp5.json	38.0.0