CVE-2026-1190

Org.keycloak/keycloak-services: keycloak saml brokering: response delay due to unchecked notonorafter in subjectconfirmationdata

CVSS 3.1 LOWEPSS 0.4%CWE-112

A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected products

Red Hat · Red Hat build of Keycloak 26.4 Red Hat · Red Hat build of Keycloak 26.4.10 Red Hat · Red Hat JBoss Enterprise Application Platform 8 Red Hat · Red Hat JBoss Enterprise Application Platform Expansion Pack Red Hat · Red Hat Single Sign-On 7

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://access.redhat.com/errata/RHSA-2026:3947 https://access.redhat.com/errata/RHSA-2026:3948 https://access.redhat.com/security/cve/CVE-2026-1190 https://bugzilla.redhat.com/show_bug.cgi?id=2430835