CVE-2026-2575 identifies a vulnerability in Red Hat's build of Keycloak version 26.4, specifically related to the handling of highly compressed SAMLRequest messages sent via the SAML Redirect Binding. The vulnerability arises because the server fails to enforce size limits during the DEFLATE decompression process of incoming SAMLRequests. An attacker can craft a maliciously compressed SAMLRequest that decompresses to a very large size, causing excessive memory consumption. This leads to an OutOfMemoryError (OOM) in the Java runtime environment, which terminates the Keycloak process, resulting in a denial of service (DoS). The attack vector requires no authentication or user interaction, making it remotely exploitable by any unauthenticated attacker with network access to the Keycloak server. The vulnerability affects the availability of the service but does not compromise confidentiality or integrity of data. The CVSS v3.1 base score is 5.3, reflecting medium severity due to the lack of impact on confidentiality and integrity, but ease of exploitation and impact on availability. No patches or exploits are currently publicly documented, but the flaw is officially published and should be addressed promptly. This vulnerability is a form of data amplification attack, where small compressed input expands to a large decompressed size, overwhelming system resources. Keycloak is widely used for identity and access management in enterprise and cloud environments, making this vulnerability relevant for organizations relying on it for authentication and authorization services.

The primary impact of CVE-2026-2575 is the disruption of availability of Keycloak authentication services. Organizations relying on Keycloak 26.4 for identity and access management may experience service outages if targeted by this attack, potentially preventing users from authenticating or accessing critical applications. This can lead to operational downtime, loss of productivity, and potential cascading effects on dependent systems. Since the vulnerability does not affect confidentiality or integrity, data breaches or unauthorized access are not direct concerns. However, denial of service on authentication infrastructure can indirectly increase risk by forcing fallback to less secure methods or causing operational chaos. The ease of exploitation without authentication or user interaction increases the likelihood of opportunistic attacks, especially in exposed environments. Large enterprises, government agencies, and cloud service providers using Keycloak are particularly at risk. The absence of known exploits in the wild currently limits immediate impact but does not preclude future exploitation. Overall, the vulnerability poses a moderate risk to service continuity and operational stability.

To mitigate CVE-2026-2575, organizations should first monitor Red Hat and Keycloak vendor advisories for official patches or updates addressing this vulnerability and apply them promptly. In the absence of patches, implement strict input validation and size limits on incoming SAMLRequests at the application or reverse proxy level to prevent processing of excessively large or suspicious payloads. Configure network-level protections such as Web Application Firewalls (WAFs) to detect and block anomalous SAMLRequest traffic patterns indicative of compression bombs or data amplification attacks. Employ resource limits and monitoring on Keycloak servers to detect and respond to abnormal memory usage spikes. Consider isolating Keycloak instances behind hardened gateways that can enforce protocol compliance and rate limiting. Regularly audit and review authentication logs for unusual activity. Additionally, ensure that Keycloak runs with appropriate Java Virtual Machine (JVM) memory settings and consider enabling JVM options that limit decompression resource consumption. Educate security teams about this vulnerability to improve detection and incident response readiness. Avoid exposing Keycloak endpoints unnecessarily to untrusted networks.