A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources.

Project Subscriptions

Vendors Products
Keycloak Subscribe
Keycloak-quarkus-server Subscribe
Jboss Enterprise Application Platform Subscribe
Jbosseapxp Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

To mitigate this issue, ensure that the `jwt-authorization-grant` preview feature is not enabled in Keycloak deployments. This feature is typically disabled by default. If it has been explicitly enabled, it should be disabled to prevent unauthorized access by disabled user accounts. Consult Keycloak documentation for specific instructions on managing preview features and configuration. A restart of the Keycloak service may be required after disabling the feature for the changes to take effect.

History

Thu, 16 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 16 Jul 2026 01:00:00 +0000

Type Values Removed Values Added
Title org.keycloak/keycloak-quarkus-server: Keycloak: Unauthorized Access via JWT authorization grant with disabled users Org.keycloak/keycloak-quarkus-server: keycloak: unauthorized access via jwt authorization grant with disabled users
First Time appeared Redhat
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
Vendors & Products Redhat
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
References

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Keycloak
Keycloak keycloak-quarkus-server
Vendors & Products Keycloak
Keycloak keycloak-quarkus-server

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources.
Title org.keycloak/keycloak-quarkus-server: Keycloak: Unauthorized Access via JWT authorization grant with disabled users
Weaknesses CWE-284
References
Metrics threat_severity

None

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Important


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-16T15:11:51.549Z

Reserved: 2026-01-29T12:08:57.214Z

Link: CVE-2026-1609

cve-icon Vulnrichment

Updated: 2026-07-16T12:04:37.270Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-09T18:59:00Z

Links: CVE-2026-1609 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-02-11T22:00:54Z

Weaknesses