CVE-2026-1486
Published: 09 February 2026
Summary
CVE-2026-1486 is a high-severity Improperly Implemented Security Check for Standard (CWE-358) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by identifying, reporting, and applying vendor patches that fix the failure to verify IdP enabled status before issuing tokens.
Ensures proper registration, management, monitoring, and protection of identity providers, preventing acceptance of JWT assertions from disabled IdPs.
Requires validation of information inputs such as JWT assertions, including verification of the issuer's IdP enabled status during the jwt-authorization-grant flow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Keycloak IdP token issuance flow directly enables remote exploitation to obtain valid access tokens by bypassing disabled provider checks.
NVD Description
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does…
more
not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.
Deeper analysisAI
CVE-2026-1486 is a vulnerability in Keycloak's jwt-authorization-grant flow, where the server fails to verify whether an Identity Provider (IdP) is enabled before issuing tokens. The lookupIdentityProviderFromIssuer mechanism retrieves IdP configuration without filtering for providers where isEnabled=false. As a result, if an administrator disables an IdP—such as due to compromise or offboarding—an entity holding that IdP's signing key can still generate JWT assertions that Keycloak accepts, leading to the issuance of valid access tokens. The issue is rated at CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-358.
An attacker with the private signing key of a disabled IdP can exploit this over the network with low privileges and no user interaction. By crafting valid JWT assertions using the key, the attacker tricks Keycloak into issuing access tokens, enabling unauthorized access to protected resources and potentially full compromise of the authentication flow.
Red Hat advisories RHSA-2026:2365 and RHSA-2026:2366 provide patches addressing this vulnerability. Additional details on mitigation and affected versions are available in the Red Hat CVE page at https://access.redhat.com/security/cve/CVE-2026-1486 and Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2433347.
Details
- CWE(s)