AIKIDO-2026-10305
keycloak-services is vulnerable to Missing XML Validation
31
Low Risk
This Affects:
keycloak-servicesTL;DR
Affected versions of this package are vulnerable to improper validation of SAML assertions. When configured as a client in a Security Assertion Markup Language (SAML) setup, the application does not validate the NotOnOrAfter timestamp within the SubjectConfirmationData element. This allows an attacker to reuse or delay the expiration of SAML responses, potentially extending the period during which a response is considered valid and leading to unintended session durations or resource consumption.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
keycloak-services is vulnerable to Missing XML Validation in versions 0.0.1 - 26.5.3.
How to fix this
Upgrade the org.keycloak:keycloak-services library to a patch version.
Links
GitHub Release
Other
access.redhat.com/errata/RHSA-2026:3947access.redhat.com/errata/RHSA-2026:3948access.redhat.com/security/cve/CVE-2026-1190bugzilla.redhat.com/show_bug.cgi?id=2430835
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant