Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-1486

Опубликовано: 09 фев. 2026
Источник: redhat
CVSS3: 8.8
EPSS Низкий

Описание

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.

Отчет

This vulnerability is rated Important for Red Hat products because Keycloak, when configured with JWT authorization grants, fails to verify the enabled status of an Identity Provider (IdP). An attacker possessing the IdP's signing key can issue valid access tokens even if the IdP has been administratively disabled, leading to unauthorized access.

Меры по смягчению последствий

To mitigate this issue, administrators should immediately revoke or rotate the signing keys associated with any Identity Provider that has been disabled in Keycloak. This operational control is crucial to prevent unauthorized token issuance by ensuring that compromised or offboarded IdP keys cannot be used to generate valid JWT assertions.

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-358
https://bugzilla.redhat.com/show_bug.cgi?id=2433347org.keycloak.protocol.oidc.grants: Disabled identity providers are still accepted for JWT Authorization Grant

EPSS

Процентиль: 14%
0.00045
Низкий

8.8 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2026-1486

CVSS3: 8.8
nvd
3 дня назад

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.

debian логотип

CVE-2026-1486

CVSS3: 8.8
debian
3 дня назад

A flaw was found in Keycloak. A vulnerability exists in the jwt-author ...

github логотип

GHSA-37gf-gmxv-74wv

CVSS3: 8.8
github
3 дня назад

Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

EPSS

Процентиль: 14%
0.00045
Низкий

8.8 High

CVSS3