CVE-2026-1609 in Keycloak信息

摘要

由 MITRE • 2026-07-16

A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

来源

Want to know what is going to be exploited?

We predict KEV entries!