Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization...

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.

AI Analysis

A vulnerability in Keycloak's jwt-authorization-grant flow allows disabled Identity Providers to issue valid access tokens

Basic Information

ID CVE-2026-1486

Source redhat

Published Feb 9, 2026 at 18:36

Modified Feb 9, 2026 at 20:53

Affected Product

Vendor Red Hat

Product Red Hat Build of Keycloak

CWE Classification

CWE-358

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Red Hat

Product Keycloak

References

{
    "lastseen": "",
    "description": "A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.",
    "published": "2026-02-09T18:36:10.268Z",
    "modified": "2026-02-09T20:53:55.678Z",
    "type": "cve",
    "title": "Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant",
    "source": "redhat",
    "references": "https://access.redhat.com/security/cve/CVE-2026-1486\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2433347",
    "id": "CVE-2026-1486",
    "bulletinFamily": "",
    "cwe": [
        "CWE-358"
    ],
    "cvelist": null,
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Red Hat Build of Keycloak",
    "version": "",
    "vendor": "Red Hat",
    "ai_description": "A vulnerability in Keycloak's jwt-authorization-grant flow allows disabled Identity Providers to issue valid access tokens",
    "ai_severity": "High",
    "ai_vendor": "Red Hat",
    "ai_product": "Keycloak",
    "ai_version": "",
    "ai_score": 8.8
}

Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant_CVE-2026-1486