Keycloak Update 26.5.4 (MINDBREEZE40986)

ID: MINDBREEZE40986 
Affected Components: Mindbreeze InSpire, Mindbreeze InSpire SaaS 
Severity: 8.8 High 
Status: Final 
First published: June 11, 2026 
CVEs: CVE-2026-1002, CVE-2026-1190, CVE-2026-1486, CVE-2026-2733 

Summary 

• CVE-2026-1002: A path normalization flaw in the Vert.x Web static handler allows attackers to use crafted URIs to manipulate the cache and trigger unauthorized 404 errors for legitimate files. 
• CVE-2026-1190: Keycloak’s SAML brokering fails to validate the NotOnOrAfter timestamp, potentially allowing attackers to extend the validity of SAML responses and session durations. 
• CVE-2026-1486: The Keycloak jwt-authorization-grant flow neglects to check if an Identity Provider is enabled, allowing disabled providers to still issue valid access tokens via signed JWT assertions. 
• CVE-2026-2733: Keycloak's Docker v2 authentication endpoint fails to respect the "Enabled" setting, allowing disabled clients to continue obtaining valid authentication tokens. 

Hotfix Information 

Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: 

• Mindbreeze InSpire 26.2 Release
• Mindbreeze InSpire SaaS 26.2 Release