Description
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.
Published: 2026-02-09
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Token Issuance
Action: Mitigate Keys
AI Analysis

Impact

A flaw in the jwt-authorization-grant flow of Keycloak causes the server to issue tokens without confirming that the Identity Provider (IdP) is enabled. By bypassing the isEnabled check, Keycloak accepts JWT assertions signed with a disabled IdP's private key, resulting in the issuance of valid access tokens to attackers who possess that key.

Affected Systems

Red Hat build of Keycloak 26.4, including version 26.4.9 on Red Hat Enterprise Linux 9, is affected. The vulnerability was identified by Red Hat and documented for the Red Hat build of Keycloak 26.4.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests exploitation is currently unlikely but possible. Because the vulnerability requires an attacker to possess a disabled IdP's signing key, the attack surface is limited to environments where compromised or offboarded keys are accessible. If an attacker obtains the key, the flaw permits the creation of valid tokens that grant access to protected resources, potentially enabling impersonation or privilege escalation. The flaw is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 17, 2026 at 21:20 UTC.

Remediation

Vendor Workaround

To mitigate this issue, administrators should immediately revoke or rotate the signing keys associated with any Identity Provider that has been disabled in Keycloak. This operational control is crucial to prevent unauthorized token issuance by ensuring that compromised or offboarded IdP keys cannot be used to generate valid JWT assertions.

OpenCVE Recommended Actions

  • Immediately revoke or rotate the signing keys for any IdP that has been disabled in Keycloak.
  • Apply the vendor-issued patch or upgrade to the most recent Keycloak release that resolves the jwt-authorization-grant issue.
  • Remove or disable unused or revoked IdPs from the Keycloak configuration to prevent accidental token acceptance.
  • Monitor Keycloak logs for unexpected token issuance and audit access token usage.

Generated by OpenCVE AI on April 17, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-37gf-gmxv-74wv Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens
History

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Tue, 10 Feb 2026 01:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 09 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.
Title Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-358
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-02-10T01:00:47.265Z

Reserved: 2026-01-27T13:35:02.603Z

Link: CVE-2026-1486

cve-icon Vulnrichment

Updated: 2026-02-09T20:53:36.269Z

cve-icon NVD

Status : Deferred

Published: 2026-02-09T20:15:55.717

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1486

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-09T18:23:00Z

Links: CVE-2026-1486 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:30:28Z

Weaknesses