Description
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.
Published: 2026-04-02
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

A flaw in Keycloak’s SingleUseObjectProvider, a global key‑value store, fails to enforce proper type and namespace isolation. This weakness permits an unauthenticated attacker to forge authorization codes. When these forged codes are exchanged, Keycloak issues access tokens that carry administrative privileges, effectively allowing the attacker to gain full control over the system. The issue aligns with CWE‑653, reflecting improper isolation of objects within the process.

Affected Systems

The affected releases are Red Hat builds of Keycloak 26.2, including sub‑version 26.2.15, and 26.4, including 26.4.11. These versions run on Red Hat Enterprise Linux 9 and should be considered for remediation.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.4, indicating high severity. No authentication is required and exploitation can be performed over the network by sending crafted requests. The EPSS score is not available and the vulnerability is not yet listed in the CISA KEV catalog; however, the potential impact remains significant, as successful exploitation results in total privilege escalation, compromising confidentiality, integrity, and availability of the protected resources.

Generated by OpenCVE AI on April 2, 2026 at 23:18 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the latest Red Hat Keycloak update that resolves CVE‑2026‑4282.
  • No official workaround available; rely on patching.
  • Limit Keycloak exposure to trusted IP ranges or behind a firewall.
  • Monitor system logs for abnormal token issuance or admin activity.

Generated by OpenCVE AI on April 2, 2026 at 23:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hj93-h7pg-fh6v Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw
History

Thu, 16 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.2.15:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.2:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.4.11:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:text-only:*:*:*

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
CPEs cpe:/a:redhat:build_keycloak:26.2::el9
Vendors & Products Redhat build Of Keycloak
References

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Thu, 02 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.
Title Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-653
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-07T11:27:33.522Z

Reserved: 2026-03-16T15:53:24.993Z

Link: CVE-2026-4282

cve-icon Vulnrichment

Updated: 2026-04-02T14:23:43.727Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T13:16:26.680

Modified: 2026-04-16T20:52:33.477

Link: CVE-2026-4282

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-02T12:30:00Z

Links: CVE-2026-4282 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:49Z

Weaknesses