Plataforma
java
Componente
org.keycloak:keycloak-services
Corregido en
26.5.3
A critical vulnerability has been identified in Keycloak, specifically within the JWT authorization grant flow. This flaw allows an attacker, possessing a compromised or offboarded Identity Provider (IdP) signing key, to generate valid JWT assertions and obtain access tokens even if the IdP has been disabled. This impacts Keycloak versions 26.5.2 and earlier, and a fix is available in version 26.5.3.
The impact of CVE-2026-1486 is significant. An attacker who obtains an IdP's signing key, even if the IdP is disabled, can impersonate legitimate users and gain unauthorized access to Keycloak-protected resources. This could lead to data breaches, privilege escalation, and complete compromise of the Keycloak instance. The ability to generate valid tokens bypasses standard authentication mechanisms, making detection more difficult. This vulnerability shares similarities with other JWT-related attacks where improper validation of issuer claims can lead to unauthorized access.
CVE-2026-1486 was publicly disclosed on 2026-02-09. The vulnerability's severity is rated HIGH (CVSS: 8.8). There are currently no publicly available proof-of-concept exploits, but the vulnerability's nature suggests a moderate probability of exploitation (EPSS: Medium). It is not currently listed on the CISA KEV catalog.
Organizations heavily reliant on Keycloak for authentication and authorization, particularly those utilizing multiple Identity Providers, are at significant risk. Environments with legacy IdP configurations or those that have offboarded users without properly revoking their access tokens are especially vulnerable.
• java / server:
# Check Keycloak version
java -jar keycloak.jar --version• java / server:
# Review Keycloak logs for JWT assertions from disabled Identity Providers. Look for errors related to IdP lookup and validation.
grep -i 'disabled idp' /path/to/keycloak/logs/keycloak.logdisclosure
Estado del Exploit
EPSS
0.02% (6% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-1486 is to immediately upgrade Keycloak to version 26.5.3 or later. If upgrading is not immediately feasible, consider temporarily disabling the affected IdP(s) to prevent further exploitation. While this limits functionality, it reduces the attack surface. Implement strict access controls and regularly rotate IdP signing keys to minimize the impact of a potential key compromise. Monitor Keycloak logs for suspicious JWT activity, particularly assertions from disabled IdPs.
Actualice a una versión de Red Hat build of Keycloak que incluya la corrección para este CVE. Consulte los avisos de seguridad de Red Hat (RHSA) RHSA-2026:2365 y RHSA-2026:2366 para obtener más detalles e instrucciones de actualización.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-1486 is a HIGH severity vulnerability in Keycloak allowing attackers to bypass IdP verification and obtain tokens even with disabled Identity Providers.
Yes, if you are running Keycloak versions 26.5.2 or earlier, you are affected by this vulnerability.
Upgrade Keycloak to version 26.5.3 or later to resolve this vulnerability. As a temporary workaround, disable affected Identity Providers.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential risk.
Refer to the official Keycloak security advisory for detailed information and updates: [https://www.keycloak.org/security/advisories](https://www.keycloak.org/security/advisories)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo pom.xml y te decimos al instante si estás afectado.