CVE-2026-2575

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw exists in Keycloak where an unauthenticated remote attacker can trigger an application-level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server does not enforce size limits during DEFLATE decompression, resulting in an OutOfMemoryError (OOM) and process termination. This allows an attacker to disrupt the availability of the service. The vulnerability involves exploiting the decompression process with a manipulated SAMLRequest sent via the SAML Redirect Binding.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.