CVE-2026-1609 in Keycloakinfo

Zusammenfassung

von MITRE • 16.07.2026

A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Zuständig

Redhat

Reservieren

29.01.2026

Veröffentlichung

16.07.2026

Moderieren

akzeptiert

Eintrag

VDB-379451

CPE

bereit

EPSS

0.00000

KEV

nein

Aktivitäten

very low

Quellen

Want to stay up to date on a daily basis?

Enable the mail alert feature now!