Keycloak: Unauthorized access via improper validation of encrypted SAML assertions

A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language SAML broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. Thi...

CVE-2026-2092 Keycloak-services: keycloak: unauthorized access via improper validation of encrypted saml assertions

A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language SAML broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. Thi...

CVE-2026-2092

Keycloak SAML broker endpoint vulnerability: encrypted SAML assertions are not properly validated when the overall SAML response is unsigned. An attacker with a valid signed SAML assertion can craft a malicious SAML response to inject an encrypted assertion for an arbitrary principal, leading to ...

PT-2026-25967

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in Keycloak’s Security Assertion Markup Language SAML broker endpoint. The endpoint does not properly validate encrypted assertions when the overall SAML response is not signed...

CVE-2025-54369

Node-SAML is a SAML library not dependent on any frameworks that runs in Node. In versions 5.0.1 and below, Node-SAML loads the assertion from the unsigned original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify...

Improper Verification of Cryptographic Signature

Overview node-saml is a SAML 2.0 Library Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to loading assertions from unsigned response documents. An attacker can alter authentication details, such as modifying the username in a SAML assertio...

Systemd-resolved: unsigned name response in signed zone is not refused when dnssec=yes

...

PT-2024-5029 · Apache · Apache Cloudstack

Name of the Vulnerable Software and Affected Versions: Apache CloudStack versions 4.5.0 through 4.18.2.1 Apache CloudStack versions 4.19.0.0 through 4.19.0.2 Description: The issue is related to the SAML authentication mechanism in Apache CloudStack, which does not enforce signature checks when...

systemd-resolved: Unsigned name response in signed zone is not refused when DNSSEC=yes

A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles or the upstream DNS resolver to manipulate records...