CNNVD-202602-1333 Information

CNNVD ID

CNNVD-202602-1333

Related CVE

CVE-2026-1609

• CNNVD Published: 2026-02-09

Description (Chinese)

Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在安全漏洞，该漏洞源于启用JWT授权授予预览功能且用户帐户被禁用时，Keycloak在处理JWT授权授予期间未验证用户的禁用状态，可能导致低权限远程攻击者使用外部身份提供商的有效断言令牌为禁用用户获取JWT。

Description (English)

Keycloak is an open-source identity and access management solution for Keycloak. Keycloak has a security loophole, which stems from the use of the JWT-mandated preview and the disablement of user accounts. When Keycloak did not verify the user’s disablement during the processing of the JWT-authorized grant, this could result in low-authority remote assailants using a valid assertion from an external identification provider that the user is forbidden to access JWT.

Hazard Level

Medium

Vulnerability Type

其他

Affected Vendor

Keycloak

Published

2026-02-09

Last Modified

2026-02-24

References

https://access.redhat.com/security/cve/cve-2026-1609