HIGHCVE-2026-1486CVSS 8.8

CVE-2026-1486: JWT Authorization Grant in Keycloak

Platform

java

Component

org.keycloak:keycloak-services

Fixed in

26.5.3

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

A critical vulnerability has been identified in Keycloak, specifically within the JWT authorization grant flow. This flaw allows an attacker, possessing a compromised or offboarded Identity Provider (IdP) signing key, to generate valid JWT assertions and obtain access tokens even if the IdP has been disabled. This impacts Keycloak versions 26.5.2 and earlier, and a fix is available in version 26.5.3.

Impact and Attack Scenarios

The impact of CVE-2026-1486 is significant. An attacker who obtains an IdP's signing key, even if the IdP is disabled, can impersonate legitimate users and gain unauthorized access to Keycloak-protected resources. This could lead to data breaches, privilege escalation, and complete compromise of the Keycloak instance. The ability to generate valid tokens bypasses standard authentication mechanisms, making detection more difficult. This vulnerability shares similarities with other JWT-related attacks where improper validation of issuer claims can lead to unauthorized access.

Exploitation Context

CVE-2026-1486 was publicly disclosed on 2026-02-09. The vulnerability's severity is rated HIGH (CVSS: 8.8). There are currently no publicly available proof-of-concept exploits, but the vulnerability's nature suggests a moderate probability of exploitation (EPSS: Medium). It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.02% (6% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentorg.keycloak:keycloak-services

Vendorosv

Affected rangeFixed in

26.5.026.5.3

Weakness Classification (CWE)

CWE-358

Timeline

Reserved2026-01-27
Published2026-02-09
Modified2026-02-13
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2026-1486 is to immediately upgrade Keycloak to version 26.5.3 or later. If upgrading is not immediately feasible, consider temporarily disabling the affected IdP(s) to prevent further exploitation. While this limits functionality, it reduces the attack surface. Implement strict access controls and regularly rotate IdP signing keys to minimize the impact of a potential key compromise. Monitor Keycloak logs for suspicious JWT activity, particularly assertions from disabled IdPs.

How to fix

Update to a version of Red Hat build of Keycloak that includes the fix for this CVE. See Red Hat security advisories (RHSA) RHSA-2026:2365 and RHSA-2026:2366 for more details and upgrade instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-1486 — JWT Authorization Grant in Keycloak?

CVE-2026-1486 is a HIGH severity vulnerability in Keycloak allowing attackers to bypass IdP verification and obtain tokens even with disabled Identity Providers.

Am I affected by CVE-2026-1486 in Keycloak?

Yes, if you are running Keycloak versions 26.5.2 or earlier, you are affected by this vulnerability.

How do I fix CVE-2026-1486 in Keycloak?

Upgrade Keycloak to version 26.5.3 or later to resolve this vulnerability. As a temporary workaround, disable affected Identity Providers.

Is CVE-2026-1486 being actively exploited?

There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential risk.

Where can I find the official Keycloak advisory for CVE-2026-1486?

Refer to the official Keycloak security advisory for detailed information and updates: [https://www.keycloak.org/security/advisories](https://www.keycloak.org/security/advisories)