Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-1609

Опубликовано: 09 фев. 2026
Источник: redhat
CVSS3: 8.1

Описание

A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources.

Отчет

The Red Hat Product Security team has assessed this vulnerability as High severity; however, it only affects upstream Keycloak version 26.5.2, which includes a preview JWT authorization grant feature. No released Red Hat Build of Keycloak (RHBK) versions are impacted, as this feature has not been shipped in any downstream product. The issue arises from improper enforcement of user disabled-state checks during JWT authorization grant processing, potentially allowing unauthorized access when the preview feature is explicitly enabled. Red Hat products remain unaffected at this time.

Меры по смягчению последствий

To mitigate this issue, ensure that the jwt-authorization-grant preview feature is not enabled in Keycloak deployments. This feature is typically disabled by default. If it has been explicitly enabled, it should be disabled to prevent unauthorized access by disabled user accounts. Consult Keycloak documentation for specific instructions on managing preview features and configuration. A restart of the Keycloak service may be required after disabling the feature for the changes to take effect.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat JBoss Enterprise Application Platform 8keycloak-quarkus-serverNot affected
Red Hat JBoss Enterprise Application Platform 8keycloak-quarkus-server-appNot affected
Red Hat JBoss Enterprise Application Platform 8keycloak-quarkus-server-deploymentNot affected
Red Hat JBoss Enterprise Application Platform Expansion Packkeycloak-quarkus-serverNot affected
Red Hat JBoss Enterprise Application Platform Expansion Packkeycloak-quarkus-server-appNot affected
Red Hat JBoss Enterprise Application Platform Expansion Packkeycloak-quarkus-server-deploymentNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-284
https://bugzilla.redhat.com/show_bug.cgi?id=2435257org.keycloak/keycloak-quarkus-server: Keycloak: Unauthorized Access via JWT authorization grant with disabled users

8.1 High

CVSS3

Связанные уязвимости

debian логотип

CVE-2026-1609

debian

Описание отсутствует

8.1 High

CVSS3