ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +149 more potentially affected by CVE-2026-1486 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.4.7)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.0.1, =1.1.7 and more Source cves: CVE-2026-1486 Source advisory: OSV:GHSA-37GF-GMXV-74WV...

CVE-2026-1486

creationtimestamp| type| source ---|---|--- 2026-02-09 20:24:03+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mehbpr3lqv23 2026-02-09 20:24:44+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mehbqyfm4i2v 2026-02-10 20:10:05+00:00| seen|...

CVE-2026-1486

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...

EUVD-2026-1486

OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new files...