All errata/sisyphus/ALT-PU-2026-3392-3
ALT-PU-2026-3392-3

Package update keycloak in branch sisyphus

Version26.5.4-alt1
Task#408332
Published2026-03-19
Max severityMEDIUM
Severity:

Closed issues (9)

CVE-2026-0707
MEDIUM5.3

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.

Published: 2026-01-08Modified: 2026-04-15
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References
CVE-2026-1190
LOW3.1

A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.

Published: 2026-01-26Modified: 2026-04-15
CVSS 3.xLOW 3.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
References
CVE-2026-2575
MEDIUM5.3

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.

Published: 2026-03-18Modified: 2026-03-18
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
CVE-2026-2733
LOW3.8

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.

Published: 2026-02-19Modified: 2026-04-15
CVSS 3.xLOW 3.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
References
GHSA-63v5-26vq-m4vm
LOW3.1

Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods

Published: 2026-01-27Modified: 2026-03-06
CVSS 3.xLOW 3.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
References
GHSA-fjf4-6f34-w64q
LOW3.8

Keycloak: Missing Check on Disabled Client for Docker Registry Protocol

Published: 2026-02-19Modified: 2026-03-06
CVSS 3.xLOW 3.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
References
GHSA-gv94-wp4h-vv8p
MEDIUM5.3

Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Published: 2026-01-08Modified: 2026-03-06
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References
GHSA-xv6h-r36f-3gp5
MEDIUM5.3

Keycloak: Denial of Service due to excessive SAMLRequest decompression

Published: 2026-03-18Modified: 2026-03-18
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References

Closed bugs (1)

Bug #57787

Необходимо запускать сервис от непривелегированного пользователя