CVE-2026-3047 identifies a critical authentication bypass vulnerability in the Red Hat Build of Keycloak, a widely used open-source identity and access management solution. The vulnerability resides in the org.keycloak.broker.saml module, which handles SAML-based identity federation. Specifically, when a SAML client is disabled but still configured as an Identity Provider (IdP)-initiated broker landing target, the system erroneously allows the login process to complete and establishes a Single Sign-On (SSO) session. This bypasses the intended security restriction that disabled clients should not be able to authenticate users or initiate sessions. The flaw effectively allows a remote attacker with network access and at least low privileges (PR:L) to impersonate users and gain unauthorized access to other enabled clients without requiring re-authentication or user interaction. The vulnerability impacts confidentiality, integrity, and availability by enabling unauthorized access and potential privilege escalation within federated environments. The CVSS 3.1 score of 8.8 reflects the ease of exploitation (low complexity), no user interaction, and high impact on all security aspects. Although no public exploits are currently known, the vulnerability poses a significant risk to organizations using Keycloak for SSO, especially those leveraging SAML IdP-initiated flows and relying on client disablement as an access control mechanism. The absence of affected versions listed suggests the need to consult vendor advisories for patched releases. This vulnerability highlights the importance of validating client states in federated authentication flows to prevent unauthorized session establishment.

The vulnerability allows attackers to bypass authentication controls and gain unauthorized access to services protected by Keycloak SSO, potentially leading to data breaches, privilege escalation, and lateral movement within enterprise environments. Confidentiality is compromised as attackers can access sensitive user sessions and data. Integrity is at risk because unauthorized users can impersonate legitimate users, potentially modifying data or configurations. Availability may also be affected if attackers disrupt authentication flows or abuse sessions. Organizations using Keycloak for critical identity federation, especially with SAML IdP-initiated flows, face increased risk of unauthorized access and compliance violations. The flaw undermines trust in the SSO infrastructure, potentially exposing multiple connected applications simultaneously. Given Keycloak’s widespread adoption in government, finance, healthcare, and large enterprises, the impact is broad and severe. The lack of required user interaction and low attack complexity further increase the likelihood of exploitation once a vulnerable system is identified.

Organizations should immediately review their Keycloak configurations to identify any disabled SAML clients configured as IdP-initiated broker landing targets and remove or reconfigure them to prevent unauthorized session establishment. Applying the latest security patches from Red Hat or the Keycloak project that address CVE-2026-3047 is critical once available. Until patches are deployed, consider disabling SAML IdP-initiated flows if feasible or implementing additional access controls such as network segmentation and strict client validation. Monitoring authentication logs for unusual SSO session creations linked to disabled clients can help detect exploitation attempts. Employing multi-factor authentication (MFA) at the application layer can provide an additional security barrier. Security teams should conduct penetration testing focused on SAML broker configurations to identify potential bypasses. Finally, update incident response plans to include this vulnerability and educate administrators on the risks of relying solely on client disablement for access control.