CVE-2026-2575 in KeyCloak
Summary
by MITRE • 03/18/2026
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/22/2026
This vulnerability in Keycloak represents a critical application-level denial of service flaw that exploits the SAML redirect binding mechanism to disrupt service availability. The issue stems from insufficient input validation during the decompression process of SAML requests, specifically when handling highly compressed data through DEFLATE compression. An unauthenticated remote attacker can craft malicious SAML requests that appear legitimate but contain excessively compressed payloads designed to trigger memory exhaustion during decompression. The vulnerability manifests when the server attempts to process these compressed requests without enforcing proper size limits, causing the application to allocate excessive memory resources and ultimately resulting in OutOfMemoryError conditions that terminate the process.
The technical implementation of this vulnerability demonstrates a classic decompression bomb attack pattern where compressed data is crafted to expand to an enormous size when decompressed. During the SAML redirect binding process, Keycloak receives the SAMLRequest parameter as part of the URL and proceeds to decompress it using standard DEFLATE decompression algorithms. The flaw occurs because the system fails to implement reasonable limits on the decompressed data size, allowing attackers to send compressed payloads that expand to gigabytes or more when decompressed. This type of vulnerability maps directly to CWE-400, which specifically addresses unchecked resource consumption, and represents a variant of the broader class of decompression bomb attacks that have affected numerous applications across different platforms. The attack vector leverages the standard SAML redirect binding mechanism, making it particularly dangerous as it can be executed against any Keycloak instance configured to accept SAML redirects without proper input validation.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the entire authentication infrastructure. When an attacker successfully triggers this DoS condition, the affected Keycloak server process terminates, leaving legitimate users unable to authenticate or access protected resources. This creates cascading effects for organizations relying on Keycloak for identity management, as the disruption can affect multiple applications and services that depend on the authentication server. The vulnerability's remote and unauthenticated nature makes it particularly dangerous as attackers can exploit it without requiring any prior credentials or access privileges. The attack can be executed at scale, potentially causing widespread service disruption across multiple instances if not properly mitigated. Organizations may experience significant downtime, loss of productivity, and potential security implications if authentication services become unavailable due to this vulnerability.
Mitigation strategies for this vulnerability should focus on implementing strict input validation and resource limits during decompression operations. Organizations should configure Keycloak instances to enforce maximum size limits on decompressed SAML request data, preventing the allocation of excessive memory resources. The implementation should include setting reasonable thresholds for decompressed payload sizes and implementing proper error handling that gracefully manages oversized requests without terminating the process. Network-level protections such as rate limiting and request filtering can also help reduce the impact of such attacks by limiting the number of requests that can be processed within a given timeframe. Additionally, organizations should consider implementing monitoring and alerting mechanisms to detect unusual patterns of decompression activity that might indicate attempted exploitation. The vulnerability highlights the importance of proper resource management and input validation in security-critical applications, aligning with ATT&CK technique T1499.004 for network denial of service attacks. Regular security updates and patches should be applied promptly to address this vulnerability, while also implementing defensive measures such as web application firewalls that can detect and block malformed SAML requests before they reach the decompression layer.