CVE-2026-1486

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw exists in the jwt-authorization-grant flow where the server does not verify if an Identity Provider (IdP) is enabled before issuing tokens. The lookupIdentityProviderFromIssuer mechanism retrieves the IdP configuration without filtering for the isEnabled status. Consequently, if an administrator disables an IdP, an entity with the IdP’s signing key can still generate valid JWT assertions, leading to the issuance of valid access tokens. This could result in unauthorized access.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.