Publish Advisories

GHSA-37gf-gmxv-74wv
GHSA-hcvw-475w-8g7p

Author: advisory-database[bot]

…-37gf-gmxv-74wv/GHSA-37gf-gmxv-74wv.json …-37gf-gmxv-74wv/GHSA-37gf-gmxv-74wv.jsonadvisories/unreviewed/2026/02/GHSA-37gf-gmxv-74wv/GHSA-37gf-gmxv-74wv.json renamed to advisories/github-reviewed/2026/02/GHSA-37gf-gmxv-74wv/GHSA-37gf-gmxv-74wv.json advisories/unreviewed/2026/02/GHSA-37gf-gmxv-74wv/GHSA-37gf-gmxv-74wv.json renamed to advisories/github-reviewed/2026/02/GHSA-37gf-gmxv-74wv/GHSA-37gf-gmxv-74wv.json

@@ -1,24 +1,57 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-37gf-gmxv-74wv",
-  "modified": "2026-02-10T03:30:27Z",
+  "modified": "2026-02-10T18:35:15Z",
   "published": "2026-02-09T21:31:03Z",
   "aliases": [
     "CVE-2026-1486"
   ],
+  "summary": "Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens",
   "details": "A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to a compromise or offboarding), an entity possessing that IdP's signing key can still generate valid JWT assertions that Keycloak accepts, resulting in the issuance of valid access tokens.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-services"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "26.5.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1486"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/issues/46146"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/pull/46148"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/commit/176dc8902ce552056d3648c4601d519afc6fb043"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:2365"
@@ -34,15 +67,19 @@
     {
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433347"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keycloak/keycloak"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-358"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-10T18:35:15Z",
     "nvd_published_at": "2026-02-09T20:15:55Z"
   }
 }

…-hcvw-475w-8g7p/GHSA-hcvw-475w-8g7p.json …-hcvw-475w-8g7p/GHSA-hcvw-475w-8g7p.jsonadvisories/unreviewed/2026/02/GHSA-hcvw-475w-8g7p/GHSA-hcvw-475w-8g7p.json renamed to advisories/github-reviewed/2026/02/GHSA-hcvw-475w-8g7p/GHSA-hcvw-475w-8g7p.json advisories/unreviewed/2026/02/GHSA-hcvw-475w-8g7p/GHSA-hcvw-475w-8g7p.json renamed to advisories/github-reviewed/2026/02/GHSA-hcvw-475w-8g7p/GHSA-hcvw-475w-8g7p.json

@@ -1,24 +1,57 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hcvw-475w-8g7p",
-  "modified": "2026-02-10T03:30:27Z",
+  "modified": "2026-02-10T18:35:20Z",
   "published": "2026-02-09T21:31:03Z",
   "aliases": [
     "CVE-2026-1529"
   ],
+  "summary": "Keycloak affected by improper invitation token validation",
   "details": "A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-services"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "26.5.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1529"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/issues/46145"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/pull/46155"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/commit/8fc9a98026106a326f4faa98d4c9a48341ace2d7"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:2363"
@@ -42,15 +75,19 @@
     {
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433783"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keycloak/keycloak"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-347"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-10T18:35:20Z",
     "nvd_published_at": "2026-02-09T20:15:55Z"
   }
 }