Detections
Analytics

Keycloak < 26.5.3 Multiple Vulnerabilities

high Nessus Plugin ID 298654

Synopsis

The remote host is affected by multiple vulnerabilities.

Description

Keycloak versions installed prior to 26.5.3 are affected by multiple vulnerabilities as referenced in the advisory.

 - A flaw in Keycloak where the JSON Web Token (JWT) authorization grant preview feature fails to validate a user's disabled status during JWT authorization grant processing. When this feature is enabled, disabled user accounts can still be used to obtain valid JWTs. (CVE-2026-1609)

 - An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access. (CVE-2026-1529)

 - A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens. (CVE-2026-1486)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade Keycloak to 26.5.3 or later.

See Also

https://www.keycloak.org/2026/02/keycloak-2653-released

https://github.com/keycloak/keycloak/issues/46144

https://github.com/keycloak/keycloak/issues/46145

https://github.com/keycloak/keycloak/issues/46146

https://github.com/keycloak/keycloak/issues/46147

https://github.com/advisories/GHSA-63v5-26vq-m4vm

Plugin Details

Severity: High

ID: 298654

File Name: keycloak_26_5_3.nasl

Version: 1.1

Type: local

Agent: unix

Family: Misc.

Published: 2/11/2026

Updated: 2/11/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.7

CVSS v2

Risk Factor: High

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-1486

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:keycloak:keycloak

Required KB Items: Host/local_checks_enabled, Host/uname

Exploit Ease: No known exploits are available

Patch Publication Date: 2/9/2026

Vulnerability Publication Date: 2/9/2026

Reference Information

CVE: CVE-2025-14778, CVE-2026-1190, CVE-2026-1486, CVE-2026-1529, CVE-2026-1609