Project Subscriptions
No advisories yet.
Solution
No solution given by the vendor.
Workaround
To mitigate this issue, ensure that the `jwt-authorization-grant` preview feature is not enabled in Keycloak deployments. This feature is typically disabled by default. If it has been explicitly enabled, it should be disabled to prevent unauthorized access by disabled user accounts. Consult Keycloak documentation for specific instructions on managing preview features and configuration. A restart of the Keycloak service may be required after disabling the feature for the changes to take effect.
Thu, 16 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 16 Jul 2026 01:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | org.keycloak/keycloak-quarkus-server: Keycloak: Unauthorized Access via JWT authorization grant with disabled users | Org.keycloak/keycloak-quarkus-server: keycloak: unauthorized access via jwt authorization grant with disabled users |
| First Time appeared |
Redhat
Redhat jboss Enterprise Application Platform Redhat jbosseapxp |
|
| CPEs | cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jbosseapxp |
|
| Vendors & Products |
Redhat
Redhat jboss Enterprise Application Platform Redhat jbosseapxp |
|
| References |
|
Wed, 11 Feb 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Keycloak
Keycloak keycloak-quarkus-server |
|
| Vendors & Products |
Keycloak
Keycloak keycloak-quarkus-server |
Tue, 10 Feb 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources. | |
| Title | org.keycloak/keycloak-quarkus-server: Keycloak: Unauthorized Access via JWT authorization grant with disabled users | |
| Weaknesses | CWE-284 | |
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2026-07-16T15:11:51.549Z
Reserved: 2026-01-29T12:08:57.214Z
Link: CVE-2026-1609
Updated: 2026-07-16T12:04:37.270Z
No data.
OpenCVE Enrichment
Updated: 2026-02-11T22:00:54Z