CVE Catalog

CVE-2026-9794

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

25th percentile - higher than 25% of all known CVEs

Summary

A flaw was found in Keycloak that allows a remote, unauthenticated attacker to send specially crafted SOAP requests to the SAML ECP endpoint. By observing distinct fault strings in the responses, the attacker can determine the client's protocol type, leading to information disclosure.

Risk Assessment

The risk involves potential disclosure of client protocol type information, which could aid an attacker in further reconnaissance and potentially more advanced attacks.

Recommendation

It is recommended to immediately apply patches provided by Keycloak vendor and restrict access to the SAML ECP endpoint to trusted networks only.

Original NVD description (English source)

A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS