Keycloak JWT grant bypass for disabled users due to missing validation
CVE-2026-1609 Published on July 16, 2026
Org.keycloak/keycloak-quarkus-server: keycloak: unauthorized access via jwt authorization grant with disabled users
A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the users disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources.
Vulnerability Analysis
CVE-2026-1609 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Timeline
Reported to Red Hat.
Made public. 11 days later.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2026-1609 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2026-1609
stack.watch emails you whenever new vulnerabilities are published in Red Hat Jboss Enterprise Application Platform or Red Hat Jbosseapxp. Just hit a watch button to start following.
Affected Versions
Keycloak:- Version 26.5.0 and below 26.5.3 is affected.