{}

{}

{}

{"bugzilla": {"description": "org.keycloak/keycloak-quarkus-server: Keycloak: Unauthorized Access via JWT authorization grant with disabled users", "id": "2435257", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2435257"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-284", "details": ["A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user\u2019s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that the `jwt-authorization-grant` preview feature is not enabled in Keycloak deployments. This feature is typically disabled by default. If it has been explicitly enabled, it should be disabled to prevent unauthorized access by disabled user accounts. Consult Keycloak documentation for specific instructions on managing preview features and configuration. A restart of the Keycloak service may be required after disabling the feature for the changes to take effect."}, "name": "CVE-2026-1609", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "keycloak-quarkus-server", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "keycloak-quarkus-server-app", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "keycloak-quarkus-server-deployment", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "keycloak-quarkus-server", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "keycloak-quarkus-server-app", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "keycloak-quarkus-server-deployment", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-02-09T18:59:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1609\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1609"], "statement": "The Red Hat Product Security team has assessed this vulnerability as High severity; however, it only affects upstream Keycloak version 26.5.2, which includes a preview JWT authorization grant feature. No released Red Hat Build of Keycloak (RHBK) versions are impacted, as this feature has not been shipped in any downstream product. The issue arises from improper enforcement of user disabled-state checks during JWT authorization grant processing, potentially allowing unauthorized access when the preview feature is explicitly enabled. Red Hat products remain unaffected at this time.", "threat_severity": "Important"}

{}