关键漏洞信息 Bug ID: 2433347 CVE ID: CVE-2026-1486 Title: org.keycloak.protocol.oidc.grants: Disabled identity providers are still accepted for JWT Authorization Grant Keywords: Security Status: NEW Product: Security Response Component: vulnerability Version: unspecified Hardware: All OS: Linux Priority: high Severity: high Assignee: Product Security DevOps Team Description of Vulnerability A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.