HIGHCVE-2026-1486CVSS 8.8

Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

wordt vertaald…

Platform

java

Component

org.keycloak:keycloak-services

Opgelost in

26.5.3

AI Confidence: highNVDEPSS 0.0%Beoordeeld: mei 2026

Bekijk op NVD

Opslaan

Wordt vertaald naar uw taal…

A critical vulnerability has been identified in Keycloak, specifically within the JWT authorization grant flow. This flaw allows an attacker, possessing a compromised or offboarded Identity Provider (IdP) signing key, to generate valid JWT assertions and obtain access tokens even if the IdP has been disabled. This impacts Keycloak versions 26.5.2 and earlier, and a fix is available in version 26.5.3.

Java / Maven

Detecteer deze CVE in je project

Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.

pom.xml uploadenOndersteunde formaten: pom.xml · build.gradle

Impact en Aanvalsscenarioswordt vertaald…

The impact of CVE-2026-1486 is significant. An attacker who obtains an IdP's signing key, even if the IdP is disabled, can impersonate legitimate users and gain unauthorized access to Keycloak-protected resources. This could lead to data breaches, privilege escalation, and complete compromise of the Keycloak instance. The ability to generate valid tokens bypasses standard authentication mechanisms, making detection more difficult. This vulnerability shares similarities with other JWT-related attacks where improper validation of issuer claims can lead to unauthorized access.

Uitbuitingscontextwordt vertaald…

CVE-2026-1486 was publicly disclosed on 2026-02-09. The vulnerability's severity is rated HIGH (CVSS: 8.8). There are currently no publicly available proof-of-concept exploits, but the vulnerability's nature suggests a moderate probability of exploitation (EPSS: Medium). It is not currently listed on the CISA KEV catalog.

Wie Loopt Risicowordt vertaald…

Organizations heavily reliant on Keycloak for authentication and authorization, particularly those utilizing multiple Identity Providers, are at significant risk. Environments with legacy IdP configurations or those that have offboarded users without properly revoking their access tokens are especially vulnerable.

Detectiestappenwordt vertaald…

• java / server:

# Check Keycloak version
java -jar keycloak.jar --version

• java / server:

# Review Keycloak logs for JWT assertions from disabled Identity Providers. Look for errors related to IdP lookup and validation.
grep -i 'disabled idp' /path/to/keycloak/logs/keycloak.log

Aanvalstijdlijn

2026-02-09Disclosure
disclosure

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend

CISA KEVNO

InternetblootstellingHoog

EPSS

0.02% (6% percentiel)

CISA SSVC

Exploitatienone

Automatiseerbaarno

Technische Impacttotal

CVSS-vector

Wat betekenen deze metrics?

Attack Vector: Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
Attack Complexity: Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required: Laag — elk geldig gebruikersaccount is voldoende.
User Interaction: Geen — automatische en stille aanval. Slachtoffer doet niets.
Scope: Ongewijzigd — impact beperkt tot het kwetsbare component.
Confidentiality: Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
Integrity: Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
Availability: Hoog — volledige crash of uitputting van resources. Totale denial of service.

Getroffen Software

Componentorg.keycloak:keycloak-services

Leverancierosv

Getroffen bereikOpgelost in

26.5.026.5.3

Zwakheidsclassificatie (CWE)

CWE-358

Tijdlijn

Gereserveerd2026-01-27
Gepubliceerd2026-02-09
Gewijzigd2026-02-13
EPSS bijgewerkt2026-03-23

Mitigatie en Workaroundswordt vertaald…

The primary mitigation for CVE-2026-1486 is to immediately upgrade Keycloak to version 26.5.3 or later. If upgrading is not immediately feasible, consider temporarily disabling the affected IdP(s) to prevent further exploitation. While this limits functionality, it reduces the attack surface. Implement strict access controls and regularly rotate IdP signing keys to minimize the impact of a potential key compromise. Monitor Keycloak logs for suspicious JWT activity, particularly assertions from disabled IdPs.

Hoe te verhelpenwordt vertaald…

Actualice a una versión de Red Hat build of Keycloak que incluya la corrección para este CVE. Consulte los avisos de seguridad de Red Hat (RHSA) RHSA-2026:2365 y RHSA-2026:2366 para obtener más detalles e instrucciones de actualización.

CVE Beveiligingsnieuwsbrief

Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.

Veelgestelde vragenwordt vertaald…

What is CVE-2026-1486 — JWT Authorization Grant in Keycloak?

CVE-2026-1486 is a HIGH severity vulnerability in Keycloak allowing attackers to bypass IdP verification and obtain tokens even with disabled Identity Providers.

Am I affected by CVE-2026-1486 in Keycloak?

Yes, if you are running Keycloak versions 26.5.2 or earlier, you are affected by this vulnerability.

How do I fix CVE-2026-1486 in Keycloak?

Upgrade Keycloak to version 26.5.3 or later to resolve this vulnerability. As a temporary workaround, disable affected Identity Providers.

Is CVE-2026-1486 being actively exploited?

There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential risk.

Where can I find the official Keycloak advisory for CVE-2026-1486?

Refer to the official Keycloak security advisory for detailed information and updates: [https://www.keycloak.org/security/advisories](https://www.keycloak.org/security/advisories)

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannen CVEs zoeken