{"api_version":"1","generated_at":"2026-07-08T17:36:12+00:00","cve":"CVE-2026-1486","urls":{"html":"https://cve.report/CVE-2026-1486","api":"https://cve.report/api/cve/CVE-2026-1486.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-1486","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-1486"},"summary":{"title":"Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant","description":"A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.","state":"PUBLISHED","assigner":"redhat","published_at":"2026-02-09 20:15:55","updated_at":"2026-06-30 03:17:16"},"problem_types":["CWE-358","CWE-358 Improperly Implemented Security Check for Standard"],"metrics":[{"version":"3.1","source":"ADP","type":"CVSS","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"secalert@redhat.com","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:2365","name":"https://access.redhat.com/errata/RHSA-2026:2365","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1486.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1486.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:2366","name":"https://access.redhat.com/errata/RHSA-2026:2366","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433347","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2433347","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-1486","name":"https://access.redhat.com/security/cve/CVE-2026-1486","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-1486","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1486","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","version":"unaffected 26.4.9-1 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","version":"unaffected 26.4-11 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","version":"unaffected 26.4-10 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4.9","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4.9","version":"","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-01-27T13:34:53.016Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2026-02-09T18:23:00.000Z","lang":"en","value":"Made public."},{"source":"ADP","time":"2026-01-27T13:34:53.016Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-02-09T18:23:00.000Z","lang":"en","value":"Made public."}],"solutions":[{"source":"ADP","title":"","value":"RHSA-2026:2366: Red Hat build of Keycloak 26.4","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:2365: Red Hat build of Keycloak 26.4.9","time":"","lang":"en"}],"workarounds":[{"source":"CNA","title":"","value":"To mitigate this issue, administrators should immediately revoke or rotate the signing keys associated with any Identity Provider that has been disabled in Keycloak. This operational control is crucial to prevent unauthorized token issuance by ensuring that compromised or offboarded IdP keys cannot be used to generate valid JWT assertions.","time":"","lang":"en"},{"source":"ADP","title":"","value":"To mitigate this issue, administrators should immediately revoke or rotate the signing keys associated with any Identity Provider that has been disabled in Keycloak. This operational control is crucial to prevent unauthorized token issuance by ensuring that compromised or offboarded IdP keys cannot be used to generate valid JWT assertions.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Red Hat would like to thank Joy Gilbert Dan and Reynaldo Immanuel for reporting this issue.","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"1486","cve":"CVE-2026-1486","epss":"0.004490000","percentile":"0.359270000","score_date":"2026-07-01","updated_at":"2026-07-02 00:05:26"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-1486","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-02-09T20:53:28.857999Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-02-09T20:53:55.678Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"affected","product":"Red Hat build of Keycloak 26.4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"affected","product":"Red Hat build of Keycloak 26.4.9","vendor":"Red Hat"}],"datePublic":"2026-02-09T18:23:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-358","description":"Improperly Implemented Security Check for Standard","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T02:45:52.961Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-1486"},{"name":"RHBZ#2433347","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433347"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1486.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:2366"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:2365"}],"solutions":[{"lang":"en","value":"RHSA-2026:2366: Red Hat build of Keycloak 26.4"},{"lang":"en","value":"RHSA-2026:2365: Red Hat build of Keycloak 26.4.9"}],"timeline":[{"lang":"en","time":"2026-01-27T13:34:53.016Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-09T18:23:00.000Z","value":"Made public."}],"title":"org.keycloak.protocol.oidc.grants: Disabled identity providers are still accepted for JWT Authorization Grant","workarounds":[{"lang":"en","value":"To mitigate this issue, administrators should immediately revoke or rotate the signing keys associated with any Identity Provider that has been disabled in Keycloak. This operational control is crucial to prevent unauthorized token issuance by ensuring that compromised or offboarded IdP keys cannot be used to generate valid JWT assertions."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"affected","packageName":"rhbk/keycloak-operator-bundle","product":"Red Hat build of Keycloak 26.4","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"26.4.9-1","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"affected","packageName":"rhbk/keycloak-rhel9","product":"Red Hat build of Keycloak 26.4","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"26.4-11","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"affected","packageName":"rhbk/keycloak-rhel9-operator","product":"Red Hat build of Keycloak 26.4","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"26.4-10","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"],"defaultStatus":"unaffected","packageName":"rhbk/keycloak-rhel9","product":"Red Hat build of Keycloak 26.4.9","vendor":"Red Hat"}],"credits":[{"lang":"en","value":"Red Hat would like to thank Joy Gilbert Dan and Reynaldo Immanuel for reporting this issue."}],"datePublic":"2026-02-09T18:23:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-358","description":"Improperly Implemented Security Check for Standard","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-02-10T01:00:47.265Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"name":"RHSA-2026:2365","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:2365"},{"name":"RHSA-2026:2366","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:2366"},{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-1486"},{"name":"RHBZ#2433347","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433347"}],"timeline":[{"lang":"en","time":"2026-01-27T13:34:53.016Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-09T18:23:00.000Z","value":"Made public."}],"title":"Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant","workarounds":[{"lang":"en","value":"To mitigate this issue, administrators should immediately revoke or rotate the signing keys associated with any Identity Provider that has been disabled in Keycloak. This operational control is crucial to prevent unauthorized token issuance by ensuring that compromised or offboarded IdP keys cannot be used to generate valid JWT assertions."}],"x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-358: Improperly Implemented Security Check for Standard"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2026-1486","datePublished":"2026-02-09T18:36:10.268Z","dateReserved":"2026-01-27T13:35:02.603Z","dateUpdated":"2026-06-30T02:45:52.961Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-02-09 20:15:55","lastModifiedDate":"2026-06-30 03:17:16","problem_types":["CWE-358","CWE-358 Improperly Implemented Security Check for Standard"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-09T20:53:28.857999Z","id":"CVE-2026-1486","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"1486","Ordinal":"1","Title":"Org.keycloak.protocol.oidc.grants: disabled identity providers a","CVE":"CVE-2026-1486","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"1486","Ordinal":"1","NoteData":"A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.","Type":"Description","Title":"Org.keycloak.protocol.oidc.grants: disabled identity providers a"}]}}}