Improper Access Control in Keycloak Allows Unauthorized JWT Issuance
CVE-2026-1609
8.1HIGH
What is CVE-2026-1609?
A flaw in Keycloak's authentication process allows a remote attacker with low privileges to exploit improper access control when the JSON Web Token (JWT) authorization grant preview feature is enabled. If a user account is disabled but a valid assertion token from an external identity provider is presented, Keycloak fails to properly validate the user's disabled status during the JWT grant processing. This results in unauthorized access to sensitive resources that should otherwise be restricted, posing a serious threat to data security.
Affected Version(s)
Keycloak 26.5.0 < 26.5.3
References
CVSS V3.1
Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Red Hat would like to thank Joy Gilbert and Reynaldo Immanuel for reporting this issue.
