AIKIDO-2026-10306
keycloak-services is vulnerable to Denial of Service (DoS)
50
Medium Risk
This Affects:
keycloak-servicesTL;DR
Affected versions of this package are vulnerable to a Denial of Service (DoS). The application does not enforce size limits when decompressing SAMLRequest messages received via the SAML Redirect Binding. An unauthenticated remote attacker can send a highly compressed request that expands significantly during DEFLATE decompression, potentially causing excessive memory consumption and triggering an OutOfMemoryError, leading to process termination.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
keycloak-services is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 26.5.3.
How to fix this
Upgrade the org.keycloak:keycloak-services library to a patch version.
Links
GitHub Release
Other
access.redhat.com/errata/RHSA-2026:3947access.redhat.com/errata/RHSA-2026:3948access.redhat.com/security/cve/CVE-2026-2575bugzilla.redhat.com/show_bug.cgi?id=2440149
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant