CVE-2026-1609 - Vulnerability Details - OpenCVE

A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2026-1609
https://www.cve.org/CVERecord?id=CVE-2026-1609

History

Tue, 10 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources.
Title		org.keycloak/keycloak-quarkus-server: Keycloak: Unauthorized Access via JWT authorization grant with disabled users
Weaknesses		CWE-284
References		https://nvd.nist.gov/vuln/detail/CVE-2026-1609 https://www.cve.org/CVERecord?id=CVE-2026-1609
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}` threat_severity `Important`

MITRE

No data.

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Important

Publid Date: 2026-02-09T18:59:00Z

Links: CVE-2026-1609 - Bugzilla

OpenCVE Enrichment

No data.

{"bugzilla": {"description": "org.keycloak/keycloak-quarkus-server: Keycloak: Unauthorized Access via JWT authorization grant with disabled users", "id": "2435257", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2435257"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-284", "details": ["A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user\u2019s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that the `jwt-authorization-grant` preview feature is not enabled in Keycloak deployments. This feature is typically disabled by default. If it has been explicitly enabled, it should be disabled to prevent unauthorized access by disabled user accounts. Consult Keycloak documentation for specific instructions on managing preview features and configuration. A restart of the Keycloak service may be required after disabling the feature for the changes to take effect."}, "name": "CVE-2026-1609", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "keycloak-quarkus-server", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "keycloak-quarkus-server-app", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "keycloak-quarkus-server-deployment", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "keycloak-quarkus-server", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "keycloak-quarkus-server-app", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "keycloak-quarkus-server-deployment", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-02-09T18:59:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1609\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1609"], "statement": "The Red Hat Product Security team has assessed this vulnerability as High severity; however, it only affects upstream Keycloak version 26.5.2, which includes a preview JWT authorization grant feature. No released Red Hat Build of Keycloak (RHBK) versions are impacted, as this feature has not been shipped in any downstream product. The issue arises from improper enforcement of user disabled-state checks during JWT authorization grant processing, potentially allowing unauthorized access when the preview feature is explicitly enabled. Red Hat products remain unaffected at this time.", "threat_severity": "Important"}