Keycloak DoS Vulnerability (CVE-2026-7307) Exposes SAML Endpoints
A critical denial-of-service (DoS) vulnerability, CVE-2026-7307, has been identified in Keycloak, an open-source identity and access management solution. According to the National Vulnerability Database, this flaw allows a remote, unauthenticated attacker to target Keycloak’s Security Assertion Markup Language (SAML) endpoint with specially crafted XML input. The malicious input triggers high CPU utilization and worker thread starvation, effectively rendering the Keycloak server unavailable.
The National Vulnerability Database assigned CVE-2026-7307 a CVSSv3.1 score of 7.5 (High severity), emphasizing its significant impact on availability. The attack vector is network-based with low attack complexity, requiring no privileges or user interaction. This means any internet-facing Keycloak instance with SAML enabled is a potential target for disruption.
While specific affected product versions were not detailed by the National Vulnerability Database, the existence of this unauthenticated DoS vector against a core authentication service like Keycloak presents a clear and present danger to organizations relying on it for single sign-on (SSO) and identity federation. Defenders must prioritize mitigating this vulnerability to prevent service outages.
What This Means For You
- If your organization uses Keycloak, especially with SAML enabled, this is a critical availability risk. An unauthenticated attacker can take down your identity provider, crippling access to all integrated applications. Immediately assess your Keycloak deployments for this vulnerability and apply available patches. Review your SAML endpoint configurations and consider implementing XML input validation or rate limiting at the perimeter if a patch isn't immediately feasible.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rule · 6 SIEM formats1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Keycloak SAML Endpoint DoS Attempt - CVE-2026-7307
title: Keycloak SAML Endpoint DoS Attempt - CVE-2026-7307
id: scw-2026-05-19-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-7307 by sending crafted XML input to Keycloak's SAML endpoint, specifically targeting the '/auth/realms/<realm>/broker/openshift-ళ్ల/endpoint' path, which can lead to a Denial of Service.
author: SCW Feed Engine (AI-generated)
date: 2026-05-19
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7307/
tags:
- attack.impact
- attack.t1499
logsource:
category: webserver
detection:
selection:
cs-uri|endswith:
- '/auth/realms/master/broker/openshift-ళ్ల/endpoint'
- '/auth/realms/your-realm/broker/openshift-ళ్ల/endpoint'
cs-method:
- 'POST'
sc-status:
- '500'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7307 | DoS | Keycloak SAML endpoint |
| CVE-2026-7307 | DoS | Specially crafted XML input |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 19, 2026 at 15:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...