Keycloak SAML XML Input Causes Denial of Service

CVE-2026-7307 represents a critical vulnerability in Keycloak's SAML endpoint that allows unauthenticated attackers to trigger a Denial of Service condition through malicious XML input. This vulnerability matters because Keycloak serves as a central identity and access management (IAM) solution for many organizations, and SAML is a widely-used authentication protocol. By crafting specially designed XML payloads, attackers can exhaust server resources—specifically CPU and worker threads—rendering the authentication service unavailable to legitimate users. Any organization relying on Keycloak for authentication, particularly those managing enterprise or cloud environments, faces disruption to their entire access control infrastructure with no prior authentication requirement.

While MITRE ATT&CK techniques are not currently mapped to this CVE, Casky's security skills powered by Claude AI would detect the attack patterns associated with resource exhaustion and Denial of Service vectors. Security practitioners using Casky would identify suspicious activity signatures including: abnormal XML parsing patterns in SAML request logs, sudden spikes in CPU utilization correlating with authentication endpoint requests, thread pool saturation alerts, and unusual request payload structures sent to /auth/realms endpoints. Casky's extended reasoning capabilities would correlate these indicators to recognize the classic hallmarks of XML-based DoS attacks—such as billion laughs attacks or XML bombs—even without explicit ATT&CK mappings, enabling practitioners to detect and respond to exploitation attempts before service degradation occurs.