correct fixed-version metadata and add reporter credit for GHSA-wmxr-6j5f-838p

[1seal]

title:

• correct fixed-version metadata and add reporter credit for GHSA-wmxr-6j5f-838p

body:

this PR proposes metadata corrections for GHSA-wmxr-6j5f-838p / CVE-2026-2092.

the current advisory data still marks 26.5.5 as affected for the three Maven packages below and does not include a structured credits[] section.

public sources supporting the metadata update:

• Keycloak issue #46912 (CVE-2026-2092 saml broker encrypted assertion injection) was closed on 2026-03-05 and labeled release/26.2.14, release/26.4.10, release/26.5.5, and release/26.6.0
• Keycloak release 26.5.5 was published on 2026-03-05
• the advisory already references fix commit b40a25908d937bb0563ea516487bc2c7c1d92508

requested changes:

• align affected[].ranges[].events[] and affected[].versions[] so publicly fixed releases are not still listed as affected
• if curator policy allows it, add structured credits[] for the original reporter/finder

packages currently showing the incorrect fixed-release state:

• org.keycloak:keycloak-saml-adapter-core
• org.keycloak:keycloak-saml-core
• org.keycloak:keycloak-services

source links:

• GHSA-wmxr-6j5f-838p
• https://api.osv.dev/v1/vulns/GHSA-wmxr-6j5f-838p
• CVE-2026-2092 saml broker encrypted assertion injection keycloak/keycloak#46912
• https://github.com/keycloak/keycloak/releases/tag/26.5.5
• keycloak/keycloak@b40a259

credit request:

• reporter/finder: Oleh Konko
• GitHub handle: @1seal
• contact: keycloak.response.team@gmail.com

note:

• this PR is not attempting to relitigate the vulnerability itself. the CVE already exists and the fix commit is already referenced. this only corrects the public advisory record and requests structured attribution.