Primary

Context

Keycloak Disabled Identity Provider JWT Authorization Grant Vulnerability

Vulnerability

Patched

A vulnerability exists in Keycloak's JWT authorization grant flow. The server does not verify if an Identity Provider (IdP) is enabled before issuing tokens. This flaw allows an entity with access to a disabled IdP's signing key to generate valid JWT assertions, which Keycloak accepts, resulting in unauthorized access tokens. This issue affects Red Hat build of Keycloak 26.4.9.

Impact

Exploitation of this vulnerability allows for unauthorized issuance of access tokens, bypassing security controls and potentially leading to unauthorized access to resources or actions within the application.

Remediation

Administrators should revoke or rotate the signing keys associated with any disabled Identity Provider in Keycloak to prevent unauthorized token issuance. Red Hat build of Keycloak 26.4.9 is available as a standalone server, as well as an integrated solution for OpenShift Container Platform.

Added: Feb 9, 2026, 8:33 PM

Updated: Feb 10, 2026, 3:02 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

6.2

remediation

7.9

relevance

2.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

6.2

remediation

7.9

relevance

2.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Keycloak Disabled Identity Provider JWT Authorization Grant Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Red Hat build of Keycloak

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating