DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-1486: Zombie IdPs: The Keycloak CVE-2026-1486 Deep Dive

#security #cve #cybersecurity

Zombie IdPs: The Keycloak CVE-2026-1486 Deep Dive

Vulnerability ID: CVE-2026-1486
CVSS Score: 8.8
Published: 2026-02-09

A critical logic flaw in Keycloak's implementation of JWT Authorization Grants allows disabled Identity Providers (IdPs) to continue issuing valid access tokens. By failing to check the 'enabled' status of an IdP during the resolution process, Keycloak permits attackers possessing a disabled provider's signing keys to bypass administrative restrictions and maintain unauthorized access.

TL;DR

Keycloak fails to check if an Identity Provider is disabled before accepting its JWTs. If an admin disables a compromised IdP but doesn't delete its keys, the attacker can still login. CVSS 8.8.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-287
  • CVSS v3.1: 8.8 (High)
  • Attack Vector: Network
  • EPSS Score: 0.00045
  • Impact: Authorization Bypass
  • Exploit Status: PoC Available (Logic Trivial)
  • Patch Status: Available

Affected Systems

  • Keycloak (Upstream Project)
  • Red Hat build of Keycloak
  • Red Hat build of Keycloak: 26.4.x < 26.4.9 (Fixed in: 26.4.9-1)
  • Keycloak: < Commit 176dc89 (Fixed in: PR #46148)

Code Analysis

Commit: 176dc89

Fix: Check if IdentityProviderModel is enabled before processing JWT

@@ -123,6 +123,7 @@ public class FederatedJWTClientAuthenticator {
- if (lookup == null || lookup.identityProviderModel() == null || lookup.clientModel() == null) {
+ if (lookup == null || lookup.identityProviderModel() == null || !lookup.identityProviderModel().isEnabled() || lookup.clientModel() == null) {
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • N/A: Logic flaw exploitable by any valid JWT signed by a disabled provider key.

Mitigation Strategies

  • Upgrade Keycloak immediately to patched versions.
  • If patching is delayed, delete public keys/certificates of disabled IdPs.
  • Audit logs for token issuance from IdPs that should be disabled.

Remediation Steps:

  1. Identify all Identity Providers currently set to 'Disabled' in the Keycloak Admin Console.
  2. Verify if any traffic has been logged from these IdPs (search for grant_type=jwt-bearer and the specific issuer).
  3. Apply the patch (Commit 176dc89) or upgrade to version 26.4.9+.
  4. Rotate keys for any IdP that was disabled due to suspected compromise.

References

Read the full report for CVE-2026-1486 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)