CVE-2026-4282

Published Apr 2, 2026

Last updated 2 months ago

CVSS high 7.4

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-4282 describes a privilege escalation vulnerability found in Keycloak, an open-source identity and access management solution. The flaw resides within Keycloak's SingleUseObjectProvider component, which functions as a global key-value store for single-use tokens like authorization codes. The vulnerability stems from an improper isolation or compartmentalization of types and namespaces within this provider. This deficiency allows an unauthenticated attacker to forge authorization codes. Successful exploitation of this flaw can lead to the creation of access tokens with administrative capabilities.

Description
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.
Source
secalert@redhat.com
NVD status
Analyzed
Products
build_of_keycloak

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.4
Impact score
5.2
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
HIGH

Weaknesses

secalert@redhat.com
CWE-653

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

9

  1. #Keycloak pwnage, all public. 1: CVE-2026-4282 forges admin tokens unauth 2: view-clients leaks every client secret, all versions, open #49220 (PoC: https://t.co/cHWnrejmtR) 3: restart revives rotated refresh tokens, CVE-2026-9802 Not every vuln has a CVE https://t.co/ishDz8aqrN

    @kmkz_security

    24 Jun 2026

    4908 Impressions

    11 Retweets

    58 Likes

    43 Bookmarks

    1 Reply

    0 Quotes

Configurations

Related CVEs

  1. A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.CVE-2026-9803
  2. A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts.CVE-2026-9798
  3. A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.CVE-2026-9802
  4. A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.CVE-2026-9801
  5. A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.CVE-2026-9795

References

Sources include official advisories and independent security research.