{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4282", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-16T15:53:24.993Z", "datePublished": "2026-04-02T12:44:52.941Z", "dateUpdated": "2026-04-02T16:34:56.651Z"}, "containers": {"cna": {"title": "Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "26.2.15-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "26.2-18", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "26.2-18", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2.15", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "rhbk/keycloak-rhel9", "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "26.4.11-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "26.4-14", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "26.4-14", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4.11", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "rhbk/keycloak-rhel9", "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:6475", "name": "RHSA-2026:6475", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6476", "name": "RHSA-2026:6476", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6477", "name": "RHSA-2026:6477", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6478", "name": "RHSA-2026:6478", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-4282", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448061", "name": "RHBZ#2448061", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-02T12:30:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-653", "description": "Improper Isolation or Compartmentalization", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-653: Improper Isolation or Compartmentalization", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "timeline": [{"lang": "en", "time": "2026-03-16T15:53:57.767Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-02T12:30:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-02T16:34:56.651Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:23:22.750489Z", "id": "CVE-2026-4282", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:24:41.770Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4282", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T14:23:22.750489Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:23:43.727Z"}}], "cna": {"title": "Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "versions": [{"status": "unaffected", "version": "26.4-14", "lessThan": "*", "versionType": "rpm"}], "packageName": "keycloak-rhel9-operator-container", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "versions": [{"status": "unaffected", "version": "26.4.11-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "versions": [{"status": "unaffected", "version": "26.4-14", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4.11", "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-16T15:53:57.767Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-02T12:30:00.000Z", "value": "Made public."}], "datePublic": "2026-04-02T12:30:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:6477", "name": "RHSA-2026:6477", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6478", "name": "RHSA-2026:6478", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-4282", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448061", "name": "RHBZ#2448061", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-653", "description": "Improper Isolation or Compartmentalization"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-02T14:09:14.402Z"}, "x_redhatCweChain": "CWE-653: Improper Isolation or Compartmentalization"}}, "cveMetadata": {"cveId": "CVE-2026-4282", "state": "PUBLISHED", "dateUpdated": "2026-04-02T14:24:41.770Z", "dateReserved": "2026-03-16T15:53:24.993Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-02T12:44:52.941Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation."}], "id": "CVE-2026-4282", "lastModified": "2026-04-02T17:16:29.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2026-04-02T13:16:26.680", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:6475"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:6476"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:6477"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:6478"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-4282"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448061"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-653"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2026:6476", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-operator-bundle:26.2.15-1", "product_name": "Red Hat build of Keycloak 26.2", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6476", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-rhel9:26.2-18", "product_name": "Red Hat build of Keycloak 26.2", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6476", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-rhel9-operator:26.2-18", "product_name": "Red Hat build of Keycloak 26.2", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6475", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-rhel9", "product_name": "Red Hat build of Keycloak 26.2.15", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6478", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "rhbk/keycloak-operator-bundle:26.4.11-1", "product_name": "Red Hat build of Keycloak 26.4", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6478", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "rhbk/keycloak-rhel9:26.4-14", "product_name": "Red Hat build of Keycloak 26.4", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6478", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "rhbk/keycloak-rhel9-operator:26.4-14", "product_name": "Red Hat build of Keycloak 26.4", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6477", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "rhbk/keycloak-rhel9", "product_name": "Red Hat build of Keycloak 26.4.11", "release_date": "2026-04-02T00:00:00Z"}], "bugzilla": {"description": "keycloak: Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw", "id": "2448061", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448061"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-653", "details": ["A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-4282", "public_date": "2026-04-02T12:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4282\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4282"], "statement": "This is an IMPORTANT vulnerability in Keycloak. An unauthenticated attacker can exploit a lack of type and namespace isolation in Keycloak's SingleUseObjectProvider to forge authorization codes and obtain admin-capable access tokens. This could lead to unauthorized administrative access within affected Keycloak deployments.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat build of Keycloak 26.4", "source": "cna", "vendor": "Red Hat"}, "product": "build_of_keycloak", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-02T15:52:14.449620+00:00", "value": {"mitigation_remediation": ["Apply the Red\u00a0Hat patch identified by RHSA-2026:6477 or the newer RHSA-2026:6478 to upgrade Keycloak to a version with the SingleUseObjectProvider isolation fix", "After updating, confirm that the authorization code flow rejects any unauthorized codes and that administrative APIs are protected only for legitimate admins", "If a patch is not immediately available, limit network exposure to the Keycloak administration endpoints, disable any custom clients that issue unnecessary authorization codes, and monitor logs for patterns indicative of forged code usage"], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the Red\u00a0Hat build of Keycloak version\u00a026.4 and the 26.4.11 release running on Enterprise Linux\u00a09. The flaw is tied to the SingleUseObjectProvider component in these specific releases and does not exist in earlier Keycloak versions or in later builds that have applied the isolation fix.", "description_and_impact": "The Keycloak server contains a flaw in the SingleUseObjectProvider component, an in\u2011memory key\u2011value store that is improperly isolated across different data types and namespaces. This weakness is an example of CWE\u2011653, Improper Isolation of Privileges. Because the store does not enforce separation, an attacker can forge OAuth2 authorization codes even when unauthenticated. Using such a forged code during the standard authorization code grant flow, the attacker receives an access token that carries administrative privileges, effectively giving the attacker control over the Keycloak realm and all associated applications.", "risk_and_exploitability": "The CVSS score of 7.4 indicates high severity; with an exploit path that requires only the ability to initiate an OAuth flow on a reachable Keycloak instance, an attacker can elevate privileges without authentication. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, but the lack of additional mitigations means the risk remains significant until the vendor releases a patch that restores proper isolation."}}}}, "created": "2026-04-02T20:12:43.473019+00:00", "updated": "2026-04-02T20:21:23.683713+00:00", "vendors": ["redhat", "redhat$PRODUCT$build_of_keycloak"]}