Analyst readout for executives and security teams
Plain-English summary
Keycloak can reveal whether a guessed client ID belongs to a particular protocol type through different error messages from the SAML ECP endpoint. This is an information leak, not documented as account takeover or service disruption, but it can help attackers map identity configuration.
Executive priority
Handle in the normal vulnerability management cycle unless the SAML ECP endpoint is internet-facing or identity-client metadata is sensitive. It is a moderate confidentiality issue with no documented active exploitation in the supplied sources.
Technical view
CVE-2026-9794 is a CWE-209 information disclosure flaw in Keycloak SAML ECP fault handling. Remote unauthenticated requests with varying client IDs can produce distinct SOAP faultstrings, exposing client protocol type. CVSS 3.1 is 5.3: network exploitable, low complexity, no privileges, confidentiality low.
Likely exposure
The provided affected list names Red Hat build of Keycloak 26.6 packages, including rhbk/keycloak-rhel9, rhbk/keycloak-rhel9-operator, and rhbk/keycloak-operator-bundle. Exposure is most relevant where the SAML ECP endpoint is reachable by unauthenticated users.
Exploitation context
The source bundle does not show CISA KEV listing or active exploitation. Exploitation requires sending crafted SOAP requests and interpreting different faultstrings, so the practical risk is reconnaissance and identity-client mapping rather than direct compromise.
Researcher notes
The key signal is differentiated faultstrings, consistent with CWE-209. The documented impact is disclosure of client protocol type only. The supplied evidence does not establish broader Keycloak versions, credential exposure, authentication bypass, exploit publication, or in-the-wild exploitation.
Mitigation direction
- Review RHSA-2026:25097 and RHSA-2026:25098 for vendor-provided updates.
- Prioritize updating affected Red Hat build of Keycloak 26.6 packages.
- Treat Red Hat build of Keycloak 26.6.3 status according to vendor advisory details.
- Restrict unnecessary external access to SAML ECP endpoints where operationally possible.
- Monitor vendor guidance for any revised affected-version or mitigation details.
Validation and detection
- Inventory Keycloak deployments and identify Red Hat build versions and package names.
- Confirm whether SAML ECP endpoints are reachable from untrusted networks.
- Check deployed package status against Red Hat CVE and RHSA records.
- Review logs for unusual unauthenticated SOAP traffic to SAML ECP endpoints.
- After remediation, verify package versions match vendor fixed or unaffected guidance.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-209: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2026-9794 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 5.3 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
SSVC decision data
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4 redhat Vulnerability scoring details
Base CVSS 3.1 score
5.3 MediumVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
- Source timeline redhat
Reported to Red Hat.
- CVE reserved CVE Program
The CVE ID was reserved by the assigning CNA.
- Source timeline redhat
Made public.
- CVE published CVE Program
The CVE record was published.
- CVE updated CVE Program
The CVE record metadata indicates this as the latest update time.
ADP provider summaries
Source materials
- CVE List V5 source CVE List V5
- RHSA-2026:25097 CVE reference, redhat · vendor-advisory, x_refsource_REDHAT
- RHSA-2026:25098 CVE reference, redhat · vendor-advisory, x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2026-9794 CVE reference, redhat · vdb-entry, x_refsource_REDHAT
- RHBZ#2482461 CVE reference, redhat · issue-tracking, x_refsource_REDHAT
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Generation of Error Message Containing Sensitive Information
Generation of Error Message Containing Sensitive Information represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.