Sign In

CVE-2026-1190

ADVISORY - github

Summary

A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the NotOnOrAfter timestamp within the SubjectConfirmationData. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-112

Missing XML Validation

ADVISORY - github

CWE-112

Missing XML Validation

CWE-347

Improper Verification of Cryptographic Signature

CWE-613

Insufficient Session Expiration

ADVISORY - redhat

CWE-112

Missing XML Validation

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2026-1190
EXPLOITABILITY SCORE

1.6

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-112

CVSS SCORE

3.1low

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-63v5-26vq-m4vm
EXPLOITABILITY SCORE

1.6

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-112CWE-347CWE-613

CVSS SCORE

3.1low

Red Hat

CREATED

UPDATED

ADVISORY IDCVE-2026-1190
EXPLOITABILITY SCORE

1.6

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-112

CVSS SCORE

3.1low