Back to overview

CVE-2026-1609

HIGH
8.1
CVSS 3.1
Description
A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources.

Metadata

CVE ID
CVE-2026-1609
State
PUBLISHED
Assigner
redhat
Reserved
2026-01-29 12:08 UTC
Published
2026-07-16 00:26 UTC
Last updated
2026-07-16 00:26 UTC
Primary CWE
CWE-284
Improper Access Control
Vendor / Product
Keycloak / Keycloak
Sources
cve.org  ·  NVD

Severity & Metrics

8.1 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected products (7)
VendorProductPlatformVersions
Keycloak Keycloak 26.5.0 < 26.5.3
Red Hat Red Hat JBoss Enterprise Application Platform 8
Red Hat Red Hat JBoss Enterprise Application Platform 8
Red Hat Red Hat JBoss Enterprise Application Platform 8
Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack
Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack
Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack
Weakness (CWE)
CWESourceDescription
CWE-284 cna Improper Access Control
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.1 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Back to overview