PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-1486 Red Hat CVE debrief

CVE-2026-1486 is a high-severity vulnerability in Keycloak's jwt-authorization-grant flow. The flaw allows an attacker to obtain valid access tokens even if an Identity Provider (IdP) is disabled. This occurs because the server fails to verify if an IdP is enabled before issuing tokens. The vulnerability has a CVSS score of 8.8 and is considered HIGH severity. The issue arises from the issuer lookup mechanism, which retrieves the IdP configuration but does not filter for isEnabled=false. Consequently, an entity with a disabled IdP's signing key can still generate valid JWT assertions that Keycloak accepts. This vulnerability was made public on February 9, 2026, and the details were last modified on June 30, 2026.

Vendor
Red Hat
Product
Red Hat build of Keycloak 26.4
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-09
Original CVE updated
2026-06-30
Advisory published
2026-02-09
Advisory updated
2026-06-30

Who should care

Administrators and security teams using Keycloak for identity and access management should be aware of this vulnerability. Given its high severity and potential impact, immediate attention is required to assess and mitigate the risk. Organizations that rely on Keycloak for authentication and authorization need to verify their configurations and apply necessary patches or workarounds.

Technical summary

The vulnerability exists in the jwt-authorization-grant flow of Keycloak, where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. This flaw allows an entity possessing a disabled IdP's signing key to generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness associated with this vulnerability is CWE-358.

Defensive priority

High priority should be given to patching or mitigating this vulnerability due to its high severity and potential for exploitation. Organizations should verify their Keycloak configurations, assess the impact of disabled IdPs, and apply necessary patches or workarounds.

Recommended defensive actions

  • Review and apply patches or updates provided by the vendor to fix the vulnerability.
  • Verify the configuration of Identity Providers in Keycloak to ensure only enabled IdPs are issuing tokens.
  • Implement compensating controls such as additional authentication or authorization checks for access tokens issued under suspicious circumstances.
  • Monitor for unusual activity or exploitation attempts related to this vulnerability.
  • Update incident response plans to include procedures for handling potential exploitation of this vulnerability.

Evidence notes

The CVE record and details were obtained from official sources, including CVE.org and the National Vulnerability Database (NVD). Additional information was gathered from Red Hat's security advisories and bugzilla reports. The information provided is based on the data available up to June 30, 2026.

Official resources

This article is AI-assisted and based on the supplied source corpus.