CVE-2026-1486 HIGH

CVE-2026-1486: Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant

Vendor Red Hat
Product Red Hat build of Keycloak 26.4.9
Weakness CWE-358
Published February 9, 2026
Last update June 30, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.

Key dates

02Disclosure timeline

February 9, 2026 CVE published
June 30, 2026 Record updated