CVE-2026-1609
Received Received - Intake

Keycloak JWT Authorization Grant Improper Access Control

Vulnerability report for CVE-2026-1609, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Red Hat, Inc.

Description

A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
keycloak keycloak From 26.5.3 (inc)
keycloak keycloak 26.5
keycloak keycloak 26.6.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-1609 is an improper access control flaw in Keycloak where disabled users can still obtain JWT tokens via the JWT Authorization Grant feature. When this feature is enabled and a user account is disabled, Keycloak fails to check the disabled status during token processing. An attacker with low privileges can exploit this by using a valid assertion token from an external identity provider to get a JWT for a disabled user, gaining unauthorized access to sensitive resources.

Impact Analysis

This vulnerability allows unauthorized access to sensitive resources even when user accounts are disabled. Attackers could exploit it to gain access to protected endpoints, potentially leading to data breaches, unauthorized actions, or further compromise of the system. The impact is higher if the JWT Authorization Grant feature is enabled in Keycloak.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating compliance requirements under GDPR, HIPAA, and other regulations. It may result in data breaches, unauthorized processing of personal data, and failure to implement proper access controls, potentially leading to legal penalties, fines, or reputational damage.

Detection Guidance

To detect this vulnerability, check if Keycloak is running version 26.5 or later and if the JWT Authorization Grant feature is enabled. Inspect Keycloak logs for disabled user token requests or unusual JWT generation patterns. Verify if disabled users have active tokens by querying the Keycloak admin API for user sessions.

Mitigation Strategies

Upgrade Keycloak to version 26.5.3 or later immediately. Disable the JWT Authorization Grant feature if not required. Review and revoke tokens for disabled users. Monitor logs for suspicious activity and restrict access to sensitive resources until the issue is resolved.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1609. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart