Skip to main content

Keycloak. CVE-2026-1486

HIGH
Improperly Implemented Security Check for Standard (CWE-358)
2026-02-09 secalert@redhat.com GHSA-37gf-gmxv-74wv
8.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Feb 09, 2026 - 20:15 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 50 maven packages depend on org.keycloak:keycloak-services (22 direct, 28 indirect)

Ecosystem-wide dependent count for version 26.5.0.

DescriptionCVE.org

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.

AnalysisAI

Keycloak's JWT authorization grant flow fails to verify that an Identity Provider is enabled before accepting tokens signed by its key, allowing attackers with a disabled IdP's signing credentials to obtain valid access tokens. This authentication bypass affects organizations that have disabled IdPs due to compromise or offboarding but retain the associated signing keys. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain disabled IdP signing key
Delivery
Craft JWT assertion with disabled IdP issuer
Exploit
Submit token to jwt-authorization-grant endpoint
Execution
Server bypasses disabled IdP check
Impact
Keycloak issues valid access token

Vulnerability AssessmentAI

Exploitation Keycloak instance with jwt-authorization-grant flow enabled; attacker must possess the private signing key of a disabled Identity Provider; IdP must have been previously configured in Keycloak before being disabled by administrator. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker (requires authentication) could exploit this flaw, the issuance of valid access tokens.
Remediation Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Keycloak instances in your environment and document which ones are actively used for production authentication. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-1486 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy