Cyber Resilience

CVE-2026-1486

HighUpdated

Published: 09 February 2026

Published
09 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0045 35.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1486 is a high-severity Improperly Implemented Security Check for Standard (CWE-358) vulnerability in Redhat (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1486 is a vulnerability in Keycloak's jwt-authorization-grant flow, where the server fails to verify whether an Identity Provider (IdP) is enabled before issuing tokens. The lookupIdentityProviderFromIssuer mechanism retrieves IdP configuration without filtering for providers where isEnabled=false. As a result, if an administrator disables an IdP—such as due to compromise or offboarding—an entity holding that IdP's signing key can still generate JWT assertions that Keycloak accepts, leading to the issuance of valid access tokens. The issue is rated at CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-358.

An attacker with the private signing key of a disabled IdP can exploit this over the network with low privileges and no user interaction. By crafting valid JWT assertions using the key, the attacker tricks Keycloak into issuing access tokens, enabling unauthorized access to protected resources and potentially full compromise of the authentication flow.

Red Hat advisories RHSA-2026:2365 and RHSA-2026:2366 provide patches addressing this vulnerability. Additional details on mitigation and affected versions are available in the Red Hat CVE page at https://access.redhat.com/security/cve/CVE-2026-1486 and Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2433347.

EU & UK References

Vulnerability details

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does…

more

not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in public-facing Keycloak IdP token issuance flow directly enables remote exploitation to obtain valid access tokens by bypassing disabled provider checks.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22618Shared CWE-358
CVE-2025-66603Shared CWE-358
CVE-2026-44473Shared CWE-358
CVE-2026-29103Shared CWE-358
CVE-2020-9295Shared CWE-358
CVE-2021-26105Shared CWE-358

Affected Assets

Redhat
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by identifying, reporting, and applying vendor patches that fix the failure to verify IdP enabled status before issuing tokens.

prevent

Ensures proper registration, management, monitoring, and protection of identity providers, preventing acceptance of JWT assertions from disabled IdPs.

prevent

Requires validation of information inputs such as JWT assertions, including verification of the issuer's IdP enabled status during the jwt-authorization-grant flow.

References