Description
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.
Published: 2026-04-02
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The Keycloak server contains a flaw in the SingleUseObjectProvider component, an in‑memory key‑value store that is improperly isolated across different data types and namespaces. This weakness is an example of CWE‑653, Improper Isolation of Privileges. Because the store does not enforce separation, an attacker can forge OAuth2 authorization codes even when unauthenticated. Using such a forged code during the standard authorization code grant flow, the attacker receives an access token that carries administrative privileges, effectively giving the attacker control over the Keycloak realm and all associated applications.

Affected Systems

This vulnerability affects the Red Hat build of Keycloak version 26.4 and the 26.4.11 release running on Enterprise Linux 9. The flaw is tied to the SingleUseObjectProvider component in these specific releases and does not exist in earlier Keycloak versions or in later builds that have applied the isolation fix.

Risk and Exploitability

The CVSS score of 7.4 indicates high severity; with an exploit path that requires only the ability to initiate an OAuth flow on a reachable Keycloak instance, an attacker can elevate privileges without authentication. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the lack of additional mitigations means the risk remains significant until the vendor releases a patch that restores proper isolation.

Generated by OpenCVE AI on April 2, 2026 at 15:52 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat patch identified by RHSA-2026:6477 or the newer RHSA-2026:6478 to upgrade Keycloak to a version with the SingleUseObjectProvider isolation fix
  • After updating, confirm that the authorization code flow rejects any unauthorized codes and that administrative APIs are protected only for legitimate admins
  • If a patch is not immediately available, limit network exposure to the Keycloak administration endpoints, disable any custom clients that issue unnecessary authorization codes, and monitor logs for patterns indicative of forged code usage

Generated by OpenCVE AI on April 2, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
CPEs cpe:/a:redhat:build_keycloak:26.2::el9
Vendors & Products Redhat build Of Keycloak
References

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Thu, 02 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.
Title Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-653
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-02T16:34:56.651Z

Reserved: 2026-03-16T15:53:24.993Z

Link: CVE-2026-4282

cve-icon Vulnrichment

Updated: 2026-04-02T14:23:43.727Z

cve-icon NVD

Status : Received

Published: 2026-04-02T13:16:26.680

Modified: 2026-04-02T17:16:29.297

Link: CVE-2026-4282

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-02T12:30:00Z

Links: CVE-2026-4282 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:23Z

Weaknesses