CVE-2026-1486 is a critical security vulnerability discovered in Red Hat's build of Keycloak version 26.4, specifically within the jwt-authorization-grant flow. Keycloak is an open-source identity and access management solution widely used for single sign-on and token issuance. The vulnerability stems from an improper security check where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The function responsible for issuer lookup, lookupIdentityProviderFromIssuer, retrieves the IdP configuration but does not exclude IdPs marked as disabled (isEnabled=false). This means that even if an administrator disables an IdP—commonly done to revoke trust due to compromise or decommissioning—an attacker who has access to that IdP's signing key can still generate valid JWT assertions. Keycloak will accept these assertions and issue valid access tokens, effectively bypassing the intended security control. The vulnerability impacts confidentiality, integrity, and availability since unauthorized tokens can grant access to protected resources, potentially leading to data breaches, privilege escalation, and service disruption. The CVSS v3.1 score is 8.8 (high), reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and full impact on confidentiality, integrity, and availability. Although no exploits are currently known in the wild, the flaw presents a significant risk to organizations relying on Keycloak for identity federation and token issuance. The issue highlights the critical need for proper validation of IdP status in federated authentication flows and secure key management practices.

The vulnerability allows attackers possessing a disabled IdP's signing key to generate valid JWT tokens accepted by Keycloak, bypassing administrative controls intended to disable that IdP. This can lead to unauthorized access to sensitive applications and data, privilege escalation, and potential lateral movement within affected environments. The impact spans confidentiality (exposure of sensitive data), integrity (unauthorized actions performed under forged tokens), and availability (potential disruption through misuse of access). Organizations using Keycloak for identity federation and access management are at risk of compromised authentication flows, which can undermine trust in their security posture. The ease of exploitation combined with the critical nature of access tokens makes this vulnerability particularly dangerous, especially in environments with multiple federated IdPs. The lack of user interaction and network-based attack vector further increase the threat level. The vulnerability could be exploited by insiders or attackers who have obtained the signing keys of disabled IdPs, emphasizing the importance of key lifecycle management.

1. Apply official patches or updates from Red Hat as soon as they become available to fix the issuer lookup logic and enforce isEnabled checks. 2. In the interim, implement strict key management policies to immediately revoke and rotate signing keys of disabled IdPs to prevent token forgery. 3. Audit and monitor token issuance logs for anomalies, such as tokens issued from disabled IdPs. 4. Restrict access to IdP signing keys to minimize risk of key compromise. 5. Consider disabling or removing unused or deprecated IdPs entirely from Keycloak configurations rather than just disabling them. 6. Employ additional token validation layers or custom policies to verify IdP status before accepting tokens. 7. Conduct regular security reviews of federation configurations and key management practices. 8. Educate administrators on the risks of disabled IdPs and the importance of key revocation. These steps go beyond generic advice by focusing on key lifecycle controls and configuration hygiene specific to this vulnerability.