GHSA-37gf-gmxv-74wv

Source

https://github.com/advisories/GHSA-37gf-gmxv-74wv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-37gf-gmxv-74wv/GHSA-37gf-gmxv-74wv.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-37gf-gmxv-74wv

Aliases

CVE-2026-1486

Downstream

MINI-hxgc-6jpf-9w27

MINI-p38m-24wh-8h29

Published

2026-02-09T21:31:03Z

Modified

2026-02-13T22:39:57.608167Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

Details

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.

Database specific

{
    "cwe_ids": [
        "CWE-358"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-10T18:35:15Z",
    "severity": "HIGH",
    "nvd_published_at": "2026-02-09T20:15:55Z"
}

References

Affected packages

Maven / org.keycloak:keycloak-services

Package

Name: org.keycloak:keycloak-services; View open source insights on deps.dev
Purl: pkg:maven/org.keycloak/keycloak-services

Affected ranges

Type: ECOSYSTEM
Events: Introduced

26.5.0

Fixed

26.5.3

Affected versions

26.*

26.5.0

26.5.1

26.5.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-37gf-gmxv-74wv/GHSA-37gf-gmxv-74wv.json"

Maven / org.keycloak:keycloak-services

Package

Name: org.keycloak:keycloak-services; View open source insights on deps.dev
Purl: pkg:maven/org.keycloak/keycloak-services

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

26.4.9

Affected versions

1.*

1.0-alpha-1

1.0-alpha-1-12062013

1.0-alpha-2

1.0-alpha-3

1.0-alpha-4

1.0-beta-1

1.0-beta-1-20150521

1.0-beta-1-20150523

1.0-beta-2

1.0-beta-3

1.0-beta-4

1.0-rc-1

1.0-rc-2

1.0-final

1.0.1.Final

1.0.2.Final

1.0.3.Final

1.0.4.Final

1.0.5.Final

1.1.0.Beta1

1.1.0.Beta2

1.1.0.Final

1.1.1.Final

1.2.0.Beta1

1.2.0.CR1

1.2.0.Final

1.3.0.Final

1.3.1.Final

1.4.0.Final

1.5.0-Final

1.5.0.Final

1.5.1.Final

1.6.0.Final

1.6.1.Final

1.7.0.CR1

1.7.0.Final

1.8.0.Alpha1

1.8.0.CR1

1.8.0.CR2

1.8.0.CR3

1.8.0.Final

1.8.1.Final

1.9.0.CR1

1.9.0.Final

1.9.1.Final

1.9.2.Final

1.9.3.Final

1.9.4.Final

1.9.5.Final

1.9.7.Final

1.9.8.Final

2.*

2.0.0.CR1

2.0.0.Final

2.1.0.CR1

2.1.0.Final

2.2.0.CR1

2.2.0.Final

2.2.1.Final

2.3.0.CR1

2.3.0.Final

2.4.0.CR1

2.4.0.Final

2.5.0.CR1

2.5.0.Final

2.5.1.Final

2.5.4.Final

2.5.5.Final

3.*

3.0.0.CR1

3.0.0.Final

3.1.0.CR1

3.1.0.Final

3.2.0.CR1

3.2.0.Final

3.2.1.Final

3.3.0.CR1

3.3.0.CR2

3.3.0.Final

3.4.0.CR1

3.4.0.Final

3.4.1.CR1

3.4.1.Final

3.4.2.Final

3.4.3.Final

4.*

4.0.0.Beta1

4.0.0.Beta2

4.0.0.Beta3

4.0.0.Final

4.1.0.Final

4.2.0.Final

4.2.1.Final

4.3.0.Final

4.4.0.Final

4.5.0.Final

4.6.0.Final

4.7.0.Final

4.8.0.Final

4.8.1.Final

4.8.2.Final

4.8.3.Final

5.*

5.0.0

6.*

6.0.0

6.0.1

7.*

7.0.0

7.0.1

8.*

8.0.0

8.0.1

8.0.2

9.*

9.0.0

9.0.2

9.0.3

10.*

10.0.0

10.0.1

10.0.2

11.*

11.0.0

11.0.1

11.0.2

11.0.3

12.*

12.0.0

12.0.1

12.0.2

12.0.3

12.0.4

13.*

13.0.0

13.0.1

14.*

14.0.0

15.*

15.0.0

15.0.1

15.0.2

15.1.0

15.1.1

16.*

16.0.0

16.1.0

16.1.1

17.*

17.0.0

17.0.1

18.*

18.0.0

18.0.1

18.0.2

19.*

19.0.0

19.0.1

19.0.2

19.0.3

20.*

20.0.0

20.0.1

20.0.2

20.0.3

20.0.4

20.0.5

21.*

21.0.0

21.0.1

21.0.2

21.1.0

21.1.1

21.1.2

22.*

22.0.0

22.0.1

22.0.2

22.0.3

22.0.4

22.0.5

23.*

23.0.0

23.0.1

23.0.2

23.0.3

23.0.4

23.0.5

23.0.6

23.0.7

24.*

24.0.0

24.0.1

24.0.2

24.0.3

24.0.4

24.0.5

25.*

25.0.0

25.0.1

25.0.2

25.0.3

25.0.4

25.0.5

25.0.6

26.*

26.0.0

26.0.1

26.0.2

26.0.3

26.0.4

26.0.5

26.0.6

26.0.7

26.0.8

26.1.0

26.1.1

26.1.2

26.1.3

26.1.4

26.1.5

26.2.0

26.2.1

26.2.2

26.2.3

26.2.4

26.2.5

26.3.0

26.3.1

26.3.2

26.3.3

26.3.4

26.3.5

26.4.0

26.4.1

26.4.2

26.4.3

26.4.4

26.4.5

26.4.6

26.4.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-37gf-gmxv-74wv/GHSA-37gf-gmxv-74wv.json"