Keycloak services allows the issuance of access and refresh tokens for disabled users

GHSA-wv3h-x6c4-r867 · CVE-2025-14559

Published Jan 21, 2026 · Modified Feb 13, 2026

Description

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-14559
WEB https://github.com/keycloak/keycloak/issues/45651
WEB https://github.com/keycloak/keycloak/commit/2d0aa31c4830ebaad094c3762e78b884c141e659
WEB https://github.com/keycloak/keycloak/commit/d67349f3aa9fed5c61750619d0f9de6356aeaeff
WEB https://access.redhat.com/errata/RHSA-2026:2365
WEB https://access.redhat.com/errata/RHSA-2026:2366
WEB https://access.redhat.com/security/cve/CVE-2025-14559
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2421711
PACKAGE https://github.com/keycloak/keycloak
WEB https://github.com/keycloak/keycloak/releases/tag/26.5.2

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes