CVE-2026-3009 in Keycloak
Summary
by MITRE • 03/05/2026
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/11/2026
The vulnerability identified as CVE-2026-3009 represents a critical access control flaw within Keycloak's IdentityBrokerService component that directly impacts the integrity of authentication workflows. This issue manifests in the performLogin endpoint where the system fails to properly validate the active status of Identity Providers before processing authentication requests. The flaw creates a scenario where disabled identity providers can still be leveraged for authentication purposes, effectively bypassing administrative controls that should prevent such usage. The vulnerability operates through a race condition or state validation failure where the system does not properly check whether an identity provider remains enabled at the time of authentication request processing, allowing attackers to exploit previously valid authentication tokens or requests that were generated when the provider was still active.
The technical implementation of this vulnerability stems from inadequate state management within Keycloak's identity broker service architecture. When an administrator disables an identity provider through the management console, the system should ensure that all pending or cached authentication requests associated with that provider are invalidated or rejected. However, the current implementation fails to maintain proper synchronization between the provider's enabled status and active authentication sessions. This represents a classic violation of the principle of least privilege and proper access control enforcement, as outlined in CWE-284 Access Control and CWE-352 Cross-Site Request Forgery concepts. The flaw particularly affects the authentication flow where external identity providers are configured to handle user authentication, creating a pathway for attackers to leverage disabled provider configurations through replay attacks or session reuse techniques.
The operational impact of CVE-2026-3009 extends beyond simple unauthorized access, creating potential for broader security breaches within systems that rely on Keycloak for identity management. An attacker who discovers a valid identity provider alias can construct malicious requests that exploit this vulnerability, potentially gaining access to systems that should be protected from authentication through the disabled provider. This vulnerability directly violates the security principle of administrative control and can lead to unauthorized system access, data breaches, and privilege escalation scenarios. The impact is particularly severe in environments where identity providers are frequently enabled and disabled based on security policies, compliance requirements, or temporary maintenance windows. This flaw can be exploited by attackers with minimal reconnaissance effort, as they only need to know the identity provider alias to leverage the vulnerability, making it particularly dangerous in environments where such information might be publicly accessible or easily discoverable through network reconnaissance activities.
Mitigation strategies for CVE-2026-3009 should focus on implementing proper state validation mechanisms within the IdentityBrokerService performLogin endpoint. Organizations should ensure that authentication requests are validated against the current status of identity providers, including real-time checks to confirm that the provider remains enabled before proceeding with authentication processing. The implementation should include proper session invalidation mechanisms that prevent reuse of authentication tokens or requests associated with disabled providers. Security measures should also include monitoring for unauthorized access attempts through disabled identity providers and implementing robust logging of authentication attempts to detect potential exploitation attempts. Additionally, administrators should be advised to regularly review and audit identity provider configurations to ensure that disabled providers are properly decommissioned from active authentication flows. The mitigation approach should align with ATT&CK technique T1566 Credential Access and T1078 Valid Accounts, as this vulnerability enables unauthorized access through compromised or misconfigured authentication mechanisms. Organizations should also consider implementing additional authentication controls such as multi-factor authentication and just-in-time provisioning to reduce the overall risk associated with identity provider misconfigurations.