Skip to main content
CVE Vulnerability Database

CVE-2026-1609: Keycloak Auth Bypass Vulnerability

CVE-2026-1609 is an authentication bypass flaw in Keycloak that allows disabled users to obtain JWT tokens through external identity providers. This article covers the technical details, affected versions, and mitigations.

Published:

CVE-2026-1609 Overview

CVE-2026-1609 is an improper access control vulnerability in Keycloak's JSON Web Token (JWT) authorization grant preview feature. When the feature is enabled, Keycloak fails to validate whether a user account is disabled during JWT authorization grant processing. An attacker holding a valid assertion token from an external identity provider can request a JWT for a disabled user account. The server issues the token despite the account being administratively disabled, granting access to protected resources. The flaw is tracked as CWE-284: Improper Access Control and is addressed in Keycloak 26.5.3.

Critical Impact

Attackers with a valid external IdP assertion can obtain JWTs for disabled accounts, bypassing account deactivation controls and accessing sensitive resources.

Affected Products

  • Keycloak releases prior to 26.5.3 with the JWT authorization grant preview feature enabled
  • Red Hat build of Keycloak (see Red Hat CVE Advisory CVE-2026-1609)
  • Deployments federating with external identity providers that issue assertion tokens

Discovery Timeline

  • 2026-07-16 - CVE-2026-1609 published to the National Vulnerability Database
  • 2026-07-16 - Last updated in NVD database
  • Fix delivered in Keycloak Release 26.5.3

Technical Details for CVE-2026-1609

Vulnerability Analysis

Keycloak supports a preview feature that permits clients to exchange an external assertion token for a Keycloak-issued JWT using the JWT authorization grant flow defined in RFC 7523. During this grant processing path, Keycloak resolves the target user based on the incoming assertion but does not enforce the user's enabled state before minting the resulting access token.

Account disablement is a primary administrative control used to revoke access following termination, compromise, or policy violation. Because the disabled-status check is missing in this specific code path, the account remains functionally active for any client that can present a valid external IdP assertion. The issued JWT carries the disabled user's identity and scopes and is accepted by downstream resource servers.

The vulnerability requires the preview feature to be explicitly enabled and requires the attacker to possess a valid assertion token from a trusted external identity provider. Confidentiality and integrity impact are high because the attacker gains authenticated access under the disabled user's identity.

Root Cause

The root cause is a missing authorization check during JWT authorization grant processing. The code path validates the signature and issuer of the external assertion and locates the corresponding local user but omits the UserModel.isEnabled() verification that other authentication flows enforce. See GitHub Keycloak Issue #46144 for the upstream tracking.

Attack Vector

The attacker authenticates against a federated external identity provider and obtains an assertion token for a target user who has since been disabled in Keycloak. The attacker submits the assertion to Keycloak's token endpoint with grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer. Keycloak validates the assertion, skips the disabled-account check, and returns an access token. The attacker then presents the token to any resource server trusting Keycloak-issued JWTs. No user interaction is required and the attack is remotely exploitable over the network.

No verified public exploit code is available. The vulnerability is described in prose based on the vendor advisory rather than reconstructed from proof-of-concept material.

Detection Methods for CVE-2026-1609

Indicators of Compromise

  • Successful token endpoint responses using grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer for user accounts flagged as disabled in the Keycloak admin console
  • Authentication events in Keycloak event logs where the subject user has enabled=false at the time of token issuance
  • Downstream application access logs showing activity by user identities that were administratively disabled

Detection Strategies

  • Correlate Keycloak CODE_TO_TOKEN and TOKEN_EXCHANGE events against the current user state store to flag tokens minted for disabled subjects.
  • Enable and review Keycloak event listener output for the JWT bearer grant type, filtering on assertions originating from external IdPs.
  • Baseline expected clients and users authorized to use the JWT authorization grant preview feature and alert on deviations.

Monitoring Recommendations

  • Forward Keycloak admin and authentication events to a centralized log platform with retention sufficient to reconstruct token issuance history.
  • Alert on any post-disablement authentication event referencing a user account whose enabled attribute is false.
  • Monitor Keycloak version and feature-flag configuration for the presence of the JWT authorization grant preview feature in production realms.

How to Mitigate CVE-2026-1609

Immediate Actions Required

  • Upgrade Keycloak to version 26.5.3 or later as published in Keycloak Release 26.5.3.
  • If immediate upgrade is not possible, disable the JWT authorization grant preview feature on all realms.
  • Audit all currently active sessions and refresh tokens issued for accounts that have been disabled and revoke them.
  • Rotate signing keys if evidence indicates tokens were issued for disabled accounts during the exposure window.

Patch Information

The upstream fix is included in Keycloak 26.5.3. Red Hat customers should follow guidance in the Red Hat CVE Advisory CVE-2026-1609 and the machine-readable Red Hat VEX Document CVE-2026-1609 for product-specific errata. Additional tracking is available in Red Hat Bug Report #2435257.

Workarounds

  • Disable the JWT authorization grant preview feature by removing it from the Keycloak features configuration until the patched release is deployed.
  • Restrict which clients are permitted to use the urn:ietf:params:oauth:grant-type:jwt-bearer grant type through client policies.
  • Enforce short access token lifetimes to reduce the window during which a token issued for a disabled account remains valid.
bash
# Disable the JWT authorization grant preview feature in Keycloak
# Remove or omit the feature flag from your startup configuration
bin/kc.sh start --features-disabled=token-exchange,jwt-bearer-grant

# Verify the running Keycloak version is 26.5.3 or later
bin/kc.sh --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.