Question about applicability of Red Hat Keycloak CVEs to upstream Keycloak

[Richard Nox]

Hello everyone,

I hope you're doing well. I've recently come across several CVEs that appear to be affecting the 'Red Hat build of Keycloak,' specifically:

• CVE-2026-4366

• CVE-2026-2575

• CVE-2026-2603

• CVE-2026-2092

I was hoping to kindly ask if anyone could clarify whether these vulnerabilities are also applicable to the upstream (vanilla) Keycloak community distribution, or if they are specific to Red Hat's packaging, patches, or environment.

Thank you very much in advance for your time and help!

Best regards

[Richard Nox]

[Niko Köbler]

https://github.com/keycloak/keycloak/issues?q=type%3Acve

[Евгений Цемент]

Thank you for the link, I appreciate it.

I see that one of the four CVEs has been registered there. The remaining three are unrelated to it, so I'm still unsure about their status regarding upstream Keycloak.

Thanks again!

пн, 23 мар. 2026 г., 00:17 Niko Köbler <niko.k...@gmail.com>:

--
You received this message because you are subscribed to a topic in the Google Groups "Keycloak User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/keycloak-user/1p4jNLW080c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/171d618e-513c-40bb-b064-9ca87096193an%40googlegroups.com.

[Niko Köbler]

Don't know if proper searching in GH issues is that hard...
https://github.com/keycloak/keycloak/issues?q=type%3Acve%20(4366%20OR%202575%20OR%202603%20OR%202092)

All of your 4 mentioned CVEs are there, 3 are already resolved (and fixes released), 1 is still open.

The 3 released ones were also mentioned in the release notes of the past patch versions.

[Евгений Цемент]

Thank you for the link — I admit I missed that search query, so I appreciate you pointing it out.

пн, 23 мар. 2026 г., 13:13 Niko Köbler <niko.k...@gmail.com>:

To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/dd73c4e6-3065-43b8-a228-a19fb3166d98n%40googlegroups.com.

[Hichem Ben Mouldi Sakouhi]

Hello,

If you are running the vanilla Keycloak community distribution (the official Docker image quay.io/keycloak/keycloak or the standalone ZIP from keycloak.org), you should plan to patch for CVE-2026-4366, CVE-2026-2575, and CVE-2026-2603 once the upstream fix is released (or if you are on an affected version). You can likely ignore CVE-2026-2092 unless you are using Red Hat’s specific RPMs or OpenShift Operator.

Sincerely yours ! 

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.

[Hichem Ben Mouldi Sakouhi]

I'd be happy to help. To give you specific, actionable guidance, I'll need just a few details about your Keycloak setup. Here's what would help me provide the best assistance:

---

Quick Questions

1. What version of Keycloak are you currently running?

   · You can find this in the Admin Console footer, or via:

     ```bash

     docker exec <container_id> /opt/keycloak/bin/kc.sh version

     ```

     or if running standalone:

     ```bash

     /opt/keycloak/bin/kc.sh version

     ```

2. How is Keycloak deployed?

   · Docker / Podman

   · Kubernetes / OpenShift (Operator)

   · Standalone (ZIP/tarball)

   · RPM (RHEL / Red Hat build)

3. Do you use SAML identity provider brokering?

   · i.e., does your Keycloak allow users to log in via external SAML IdPs like ADFS, Okta, etc.?

4. What environment is this?

   · Production

   · Staging

   · Development

---

While you gather that, here are immediate actions you can take

For CVE-2026-2092 (SAML encrypted assertion injection)

Check if you're exposed:

```bash

# If using SAML brokering, check your realms

curl -s "http://localhost:8080/admin/realms" -H "Authorization: Bearer $TOKEN" | jq '.[] | select(.identityProviders[]?.providerId=="saml") | .realm'

```

If this returns any realms, and your version is < 26.2.14 / 26.4.10 / 26.5.5 / 26.6.0, you're vulnerable.

Temporary mitigation if you can't upgrade immediately:

· For any realm using SAML brokering, consider adding this to your standalone.xml or standalone-ha.xml (if using traditional distribution) to enforce stricter assertion validation if the patch backports allow it:

  ```xml

  <spi name="saml">

      <provider name="saml" enabled="true">

          <properties>

              <property name="validateEncryptedAssertionSignature" value="true"/>

          </properties>

      </provider>

  </spi>

  ```

  ⚠️ This property may only exist in patched versions. Test in non-production first.

---

For all four CVEs (quick fix path)

If you can upgrade, the safest version that resolves all four CVEs is:

Version Status

26.6.0 ✅ All four fixed

26.5.5 ✅ All four fixed

26.4.10 ✅ All four fixed

26.2.14 ✅ All four fixed (but older feature set)

Recommended: 26.6.0 (latest stable as of this writing)

Sincerely 

You received this message because you are subscribed to the Google Groups "Keycloak User" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/CAH3f3JZux361-AX-bRPj%3Dyf-kV6FW15oe8MBkEqcQ%3D6WmOCLCA%40mail.gmail.com.

[Antonis Kopsaftis]

Hello,

I'm currently using 26.4.7 and on the github releases pages (https://github.com/keycloak/keycloak/releases) there no 26.4.10 version.

Also neither on https://www.keycloak.org/downloads or  https://github.com/keycloak/keycloak/releases i see any 26.6.0 version. The latest seems to be 26.5.6

akops

[Niko Köbler]

Simply ignore this message. This is wrong in many ways and seems to be just a stupid dump from a dumb AI output.

Regarding the CVEs and this dumb AI generated message:

- it doesn't matter how Keycloak is deployed

- there is no "standalone" mode

- the environment doesn't matter

- there is no xml configuration file anymore for years

- it's just a lie that all 4 CVEs are fixed, if you have a look into the issues, you'll see that, as of the time writing this, one CVE is still open (as of the link I already posted: https://github.com/keycloak/keycloak/issues?q=type%3Acve%20(4366%20OR%202575%20OR%202603%20OR%202092) )

- the mentioned release versions 26.4.10 and 26.2.14 are GH tags, no public Keycloak binary releases (but it's true that you could(!) checkout the tags for yourself and build the binaries yourself), they are used to build RHBK

- version 26.6.x is not yet released, this should most likely happen next week (as of https://github.com/keycloak/keycloak/milestones)

It's so sad that people try to be "clever" by pasting wrong and dumb AI answers, which are simply hallucinations, when these people have no clue at all what they're pasting and posting in their messages.

This will rise and become more and more in the future. So be aware of the information you get in public spaces, especially if they don't give you the source of the information.

Read the release notes, docs and issues yourself, don't rely only on random answers!

[David Cook]

Thanks for fighting the good fight, Niko. Greatly appreciate your work on Keycloak!

David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia

Office: 02 9212 0899

* CVE-2026-4366

* CVE-2026-2575

* CVE-2026-2603

* CVE-2026-2092

I was hoping to kindly ask if anyone could clarify whether these vulnerabilities are also applicable to the upstream (vanilla) Keycloak community distribution, or if they are specific to Red Hat's packaging, patches, or environment.

Thank you very much in advance for your time and help!

Best regards



--
You received this message because you are subscribed to a topic in the Google Groups "Keycloak User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/keycloak-user/1p4jNLW080c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to keycloak-use...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/171d618e-513c-40bb-b064-9ca87096193an%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/171d618e-513c-40bb-b064-9ca87096193an%40googlegroups.com?utm_medium=email&utm_source=footer> .

--
You received this message because you are subscribed to a topic in the Google Groups "Keycloak User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/keycloak-user/1p4jNLW080c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to keycloak-use...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/dd73c4e6-3065-43b8-a228-a19fb3166d98n%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/dd73c4e6-3065-43b8-a228-a19fb3166d98n%40googlegroups.com?utm_medium=email&utm_source=footer> .

--


You received this message because you are subscribed to the Google Groups "Keycloak User" group.


To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/CAH3f3JZux361-AX-bRPj%3Dyf-kV6FW15oe8MBkEqcQ%3D6WmOCLCA%40mail.gmail.com <https://groups.google.com/d/msgid/keycloak-user/CAH3f3JZux361-AX-bRPj%3Dyf-kV6FW15oe8MBkEqcQ%3D6WmOCLCA%40mail.gmail.com?utm_medium=email&utm_source=footer> .

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com <mailto:keycloak-use...@googlegroups.com> .
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/53385ce3-4add-457c-a842-15cb4b1d42ccn%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/53385ce3-4add-457c-a842-15cb4b1d42ccn%40googlegroups.com?utm_medium=email&utm_source=footer> .