Improper Restriction of Security Token Assignment in org.keycloak:keycloak-services | CVE-2026-1609

Q: How to fix?

Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

Introduced: 9 Feb 2026

CVE-2026-1609 (opens in a new tab) CWE-1259 (opens in a new tab)

How to fix?

Upgrade org.keycloak:keycloak-services to version 26.5.3 or higher.

Overview

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment due to improper enforcement of user disabled-state checks in the grant preview feature. An attacker can gain unauthorized access to sensitive resources by presenting a valid assertion token from an external identity provider for a disabled user account. This is only exploitable if the jwt-authorization-grant preview feature is explicitly enabled.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Improper Restriction of Security Token Assignment Affecting org.keycloak:keycloak-services package, versions [26.5.2,26.5.3)

Severity

Do your applications use this vulnerable package?

Introduced: 9 Feb 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk