Improper Access Control in Keycloak Allows Unauthorized JWT Issuance
CVE-2026-1609

8.1HIGH

What is CVE-2026-1609?

A flaw in Keycloak's authentication process allows a remote attacker with low privileges to exploit improper access control when the JSON Web Token (JWT) authorization grant preview feature is enabled. If a user account is disabled but a valid assertion token from an external identity provider is presented, Keycloak fails to properly validate the user's disabled status during the JWT grant processing. This results in unauthorized access to sensitive resources that should otherwise be restricted, posing a serious threat to data security.

Affected Version(s)

Keycloak 26.5.0 < 26.5.3

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Joy Gilbert and Reynaldo Immanuel for reporting this issue.
.