CVE-2026-1609 PUBLISHED

Org.keycloak/keycloak-quarkus-server: keycloak: unauthorized access via jwt authorization grant with disabled users

Assigner: redhat
Reserved: 29.01.2026 Published: 16.07.2026 Updated: 16.07.2026

A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 8.1

Product Status

Vendor Keycloak
Product Keycloak
Versions Default: unaffected
  • affected from 26.5.0 to 26.5.3 (excl.)
Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform 8
Versions Default: unaffected
Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform 8
Versions Default: unaffected
Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform 8
Versions Default: unaffected
Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform Expansion Pack
Versions Default: unaffected
Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform Expansion Pack
Versions Default: unaffected
Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform Expansion Pack
Versions Default: unaffected

Workarounds

To mitigate this issue, ensure that the jwt-authorization-grant preview feature is not enabled in Keycloak deployments. This feature is typically disabled by default. If it has been explicitly enabled, it should be disabled to prevent unauthorized access by disabled user accounts. Consult Keycloak documentation for specific instructions on managing preview features and configuration. A restart of the Keycloak service may be required after disabling the feature for the changes to take effect.

Credits

  • Red Hat would like to thank Joy Gilbert and Reynaldo Immanuel for reporting this issue.

References

Problem Types

  • Improper Access Control CWE