Description
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.
Published: 2026-02-19
Score: 3.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass allowing token issuance after a Docker registry client is disabled
Action: Assess Impact
AI Analysis

Impact

A flaw in Keycloak’s Docker v2 authentication endpoint permits tokens to be issued even after an administrator disables a Docker registry client, meaning previously valid credentials can continue to procure authentication tokens. The vulnerability weakens administrative controls by allowing unauthorized access to container registry resources. It is an authorization weakness, classified as CWE‑285. There is no indication of code execution or denial‑of‑service potential; the impact is limited to unauthorized access.

Affected Systems

Red Hat Build of Keycloak, Red Hat JBoss Enterprise Application Platform 8, Red Hat JBoss Enterprise Application Platform Expansion Pack, Red Hat Single Sign‑On 7, Red Hat Build of Keycloak 26.4, and Red Hat Build of Keycloak 26.4.10.

Risk and Exploitability

The CVSS score of 3.8 indicates a low severity impact, and the EPSS probability of less than 1 % shows a very low likelihood of exploitation at present. It is not listed in the KEV catalog, suggesting it has not been widely exploited. The likely attack scenario involves a compromised or legitimate user continuing to obtain tokens via the Docker registry protocol even after the client is disabled, so the vulnerability is exploitable with minimal effort and without additional privileges.

Generated by OpenCVE AI on April 16, 2026 at 17:03 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat errata RHSA‑2026:3947 or RHSA‑2026:3948 to update Keycloak and related JBoss components.
  • After installation, confirm that token issuance fails for disabled Docker registry clients by attempting a test token request in the Keycloak administrative console.
  • Revoke any tokens that were issued before the update to eliminate ongoing unauthorized access.

Generated by OpenCVE AI on April 16, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fjf4-6f34-w64q Keycloak: Missing Check on Disabled Client for Docker Registry Protocol
History

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:26.4::el9
References

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat single Sign-on
Vendors & Products Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat single Sign-on

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 19 Feb 2026 08:00:00 +0000

Type Values Removed Values Added
Description A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.
Title Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-285
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Jbosseapxp Red Hat Single Sign On Single Sign-on
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-06T03:31:23.662Z

Reserved: 2026-02-19T07:15:32.860Z

Link: CVE-2026-2733

cve-icon Vulnrichment

Updated: 2026-02-19T21:31:14.292Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T08:16:17.980

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2733

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-19T00:00:00Z

Links: CVE-2026-2733 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses