CVE-2026-7307

A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2026:19594	Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:19595	Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:19596	Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:19597	Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-7307	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2476526	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*

History

03 Jun 2026, 19:52

Type	Values Removed	Values Added
First Time		Redhat Redhat build Of Keycloak
CPE		cpe:2.3:a:redhat:build_of_keycloak::::::::
References	~~() https://access.redhat.com/errata/RHSA-2026:19594 -~~	() https://access.redhat.com/errata/RHSA-2026:19594 - Vendor Advisory
References	~~() https://access.redhat.com/errata/RHSA-2026:19595 -~~	() https://access.redhat.com/errata/RHSA-2026:19595 - Vendor Advisory
References	~~() https://access.redhat.com/errata/RHSA-2026:19596 -~~	() https://access.redhat.com/errata/RHSA-2026:19596 - Vendor Advisory
References	~~() https://access.redhat.com/errata/RHSA-2026:19597 -~~	() https://access.redhat.com/errata/RHSA-2026:19597 - Vendor Advisory
References	~~() https://access.redhat.com/security/cve/CVE-2026-7307 -~~	() https://access.redhat.com/security/cve/CVE-2026-7307 - Vendor Advisory
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2476526 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2476526 - Vendor Advisory

20 May 2026, 17:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:19595 - () https://access.redhat.com/errata/RHSA-2026:19596 -

20 May 2026, 12:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:19594 - () https://access.redhat.com/errata/RHSA-2026:19597 -

19 May 2026, 12:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-19 12:16

Updated : 2026-06-03 19:52

NVD link : CVE-2026-7307

Mitre link : CVE-2026-7307

CVE.ORG link : CVE-2026-7307

JSON object : View

Products Affected

redhat

build_of_keycloak

CWE

CWE-1286

Improper Validation of Syntactic Correctness of Input

7.5 /10