Keycloak. CVE-2026-1486
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 50 maven packages depend on org.keycloak:keycloak-services (22 direct, 28 indirect)
Ecosystem-wide dependent count for version 26.5.0.
DescriptionCVE.org
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.
AnalysisAI
Keycloak's JWT authorization grant flow fails to verify that an Identity Provider is enabled before accepting tokens signed by its key, allowing attackers with a disabled IdP's signing credentials to obtain valid access tokens. This authentication bypass affects organizations that have disabled IdPs due to compromise or offboarding but retain the associated signing keys. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Keycloak instance with jwt-authorization-grant flow enabled; attacker must possess the private signing key of a disabled Identity Provider; IdP must have been previously configured in Keycloak before being disabled by administrator. Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker (requires authentication) could exploit this flaw, the issuance of valid access tokens. |
| Remediation | Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Keycloak instances in your environment and document which ones are actively used for production authentication. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-37gf-gmxv-74wv