What is CVE-2026-1190?

CVE-2026-1190 is a low-severity vulnerability in Red Hat Build Of Keycloak 26.4, classified under CWE-112. CVSS score: 3.1/10. Published 2026-01-26.

How severe is CVE-2026-1190?

Low severity. CVSS v3 base score is 3.1 out of 10.

Vulnerability in Red Hat Build Of Keycloak 26.4

CVE-2026-1190

A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationDat…

EPSS: 0.000 (6.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.1 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N.

Affected products

Red Hat Build Of Keycloak 26.4 — versions 26.4.10-1, 26.4-12
Red Hat Build Of Keycloak 26.4.10
Red Hat Jboss Enterprise Application Platform 8
Red Hat Jboss Enterprise Application Platform Expansion Pack
Red Hat Single Sign-on 7

Weakness classification (CWE)

CWE-112

References

RHSA-2026:3947 (vendor-advisory, x_refsource_REDHAT)
RHSA-2026:3948 (vendor-advisory, x_refsource_REDHAT)
access.redhat.com/security/cve/CVE-2026-1190 (vdb-entry, x_refsource_REDHAT)
RHBZ#2430835 (issue-tracking, x_refsource_REDHAT)

Frequently asked questions

What is CVE-2026-1190?: CVE-2026-1190 is a low-severity vulnerability in Red Hat Build Of Keycloak 26.4, classified under CWE-112. CVSS score: 3.1/10. Published 2026-01-26.
How severe is CVE-2026-1190?: Low severity. CVSS v3 base score is 3.1 out of 10.