Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant
Summary
| CVE | CVE-2026-1486 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-02-09 20:15:55 UTC |
| Updated | 2026-06-30 03:17:16 UTC |
| Description | A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens. |
Risk And Classification
Primary CVSS: v3.1 8.8 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.004490000 probability, percentile 0.359270000 (date 2026-07-01)
Problem Types: CWE-358 | CWE-358 Improperly Implemented Security Check for Standard
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Red Hat Build Of Keycloak 26.4 | unaffected 26.4.9-1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.4 | unaffected 26.4-11 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.4 | unaffected 26.4-10 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.4.9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Keycloak 26.4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Keycloak 26.4.9 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:2365 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1486.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2366 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-1486 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Red Hat would like to thank Joy Gilbert Dan and Reynaldo Immanuel for reporting this issue. (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-01-27T13:34:53.016Z | Reported to Red Hat. |
| CNA | 2026-02-09T18:23:00.000Z | Made public. |
| ADP | 2026-01-27T13:34:53.016Z | Reported to Red Hat. |
| ADP | 2026-02-09T18:23:00.000Z | Made public. |
Solutions
ADP: RHSA-2026:2366: Red Hat build of Keycloak 26.4
ADP: RHSA-2026:2365: Red Hat build of Keycloak 26.4.9
Workarounds
CNA: To mitigate this issue, administrators should immediately revoke or rotate the signing keys associated with any Identity Provider that has been disabled in Keycloak. This operational control is crucial to prevent unauthorized token issuance by ensuring that compromised or offboarded IdP keys cannot be used to generate valid JWT assertions.
ADP: To mitigate this issue, administrators should immediately revoke or rotate the signing keys associated with any Identity Provider that has been disabled in Keycloak. This operational control is crucial to prevent unauthorized token issuance by ensuring that compromised or offboarded IdP keys cannot be used to generate valid JWT assertions.