HIGHCVE-2026-4282Published Modified CNA redhat
CVE-2026-4282: Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.
Metrics
- CVSS v3.1
- 7.4
- Severity
- HIGH
- Fixed in
- 26.2.15-1
- Affected Products
- 8
Fix available
26.2.15-126.2-1826.4.11-126.4-14
Affected packages
- Red Hat / Red Hat build of Keycloak 26.2Fixed in 26.2.15-1
- Red Hat / Red Hat build of Keycloak 26.2Fixed in 26.2-18
- Red Hat / Red Hat build of Keycloak 26.2Fixed in 26.2-18
- Red Hat / Red Hat build of Keycloak 26.2.15
- Red Hat / Red Hat build of Keycloak 26.4Fixed in 26.4.11-1
- Red Hat / Red Hat build of Keycloak 26.4Fixed in 26.4-14
- Red Hat / Red Hat build of Keycloak 26.4Fixed in 26.4-14
- Red Hat / Red Hat build of Keycloak 26.4.11
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N