Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-1035 (GCVE-0-2026-1035)
Vulnerability from cvelistv5 – Published: 2026-01-21 05:52 – Updated: 2026-04-02 16:47
VLAI?
EPSS
Title
Org.keycloak.protocol.oidc: keycloak refresh token reuse bypass via toctou race condition
Summary
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.
Severity ?
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4.11-1 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
Date Public ?
2026-01-21 00:00
Credits
Red Hat would like to thank Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) for reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1035",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-21T14:37:07.867592Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T14:40:53.542Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4.11-1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-14",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-14",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4.11",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
],
"defaultStatus": "unaffected",
"packageName": "keycloak-services",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"defaultStatus": "unaffected",
"packageName": "keycloak-services",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7"
],
"defaultStatus": "unaffected",
"packageName": "keycloak-services",
"product": "Red Hat Single Sign-On 7",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) for reporting this issue."
}
],
"datePublic": "2026-01-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak\u2019s refresh token rotation hardening can be undermined."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:47:18.487Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:6477",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"name": "RHSA-2026:6478",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-1035"
},
{
"name": "RHBZ#2430314",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430314"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-16T06:45:27.223Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-01-21T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Org.keycloak.protocol.oidc: keycloak refresh token reuse bypass via toctou race condition",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, configure the `refreshTokenMaxReuse` policy in Keycloak to a value greater than zero. This prevents the race condition by allowing a limited number of reuses for refresh tokens, thereby maintaining the integrity of the Refresh Token Rotation hardening measure. Consult Keycloak documentation for specific configuration instructions. Changes to Keycloak configuration typically require a service restart or redeployment to take effect."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-1035",
"datePublished": "2026-01-21T05:52:22.495Z",
"dateReserved": "2026-01-16T07:03:59.680Z",
"dateUpdated": "2026-04-02T16:47:18.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-1035\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2026-01-21T06:15:46.937\",\"lastModified\":\"2026-04-02T14:16:25.143\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak\u2019s refresh token rotation hardening can be undermined.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una falla en el servidor Keycloak durante el procesamiento de tokens de actualizaci\u00f3n, espec\u00edficamente en la clase TokenManager responsable de aplicar las pol\u00edticas de reutilizaci\u00f3n de tokens de actualizaci\u00f3n. Cuando la rotaci\u00f3n estricta de tokens de actualizaci\u00f3n est\u00e1 habilitada, la validaci\u00f3n y actualizaci\u00f3n del uso del token de actualizaci\u00f3n no se realizan de forma at\u00f3mica. Esto permite que las solicitudes de actualizaci\u00f3n concurrentes eludan la aplicaci\u00f3n del uso \u00fanico y emitan m\u00faltiples tokens de acceso desde el mismo token de actualizaci\u00f3n. Como resultado, el endurecimiento de la rotaci\u00f3n de tokens de actualizaci\u00f3n de Keycloak puede verse socavado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-367\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2026:6477\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:6478\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-1035\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2430314\",\"source\":\"secalert@redhat.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-1035\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-21T14:37:07.867592Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-21T14:40:46.720Z\"}}], \"cna\": {\"title\": \"Org.keycloak.protocol.oidc: keycloak refresh token reuse bypass via toctou race condition\", \"credits\": [{\"lang\": \"en\", \"value\": \"Red Hat would like to thank Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) for reporting this issue.\"}], \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Low\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.4-14\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"keycloak-rhel9-operator-container\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.4.11-1\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-operator-bundle\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.4-14\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4.11\", \"packageName\": \"rhbk/keycloak-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_application_platform:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Enterprise Application Platform 8\", \"packageName\": \"keycloak-services\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:jbosseapxp\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Enterprise Application Platform Expansion Pack\", \"packageName\": \"keycloak-services\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:red_hat_single_sign_on:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Single Sign-On 7\", \"packageName\": \"keycloak-services\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-01-16T06:45:27.223Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-01-21T00:00:00.000Z\", \"value\": \"Made public.\"}], \"datePublic\": \"2026-01-21T00:00:00.000Z\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2026:6477\", \"name\": \"RHSA-2026:6477\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:6478\", \"name\": \"RHSA-2026:6478\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2026-1035\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2430314\", \"name\": \"RHBZ#2430314\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"To mitigate this issue, configure the `refreshTokenMaxReuse` policy in Keycloak to a value greater than zero. This prevents the race condition by allowing a limited number of reuses for refresh tokens, thereby maintaining the integrity of the Refresh Token Rotation hardening measure. Consult Keycloak documentation for specific configuration instructions. Changes to Keycloak configuration typically require a service restart or redeployment to take effect.\"}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak\\u2019s refresh token rotation hardening can be undermined.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-367\", \"description\": \"Time-of-check Time-of-use (TOCTOU) Race Condition\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2026-04-02T13:59:02.853Z\"}, \"x_redhatCweChain\": \"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition\"}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-1035\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-02T13:59:02.853Z\", \"dateReserved\": \"2026-01-16T07:03:59.680Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2026-01-21T05:52:22.495Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2026:6477
Vulnerability from csaf_redhat - Published: 2026-04-02 13:54 - Updated: 2026-04-02 16:39Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.4.11 Update
Severity
Important
Notes
Topic: New Red Hat build of Keycloak 26.4.11 packages are available from the Customer Portal
Details: Red Hat build of Keycloak 26.4.11 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
Security fixes:
* Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure (CVE-2025-14082)
* Improper Access Control in Admin REST API leads to information disclosure (CVE-2025-14083)
* keycloak-rhel9-operator: Keycloak IDOR in realm client creating/deleting (CVE-2025-14777)
* Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition (CVE-2026-1035)
* Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri (CVE-2026-1180)
* Information Disclosure via improper role enforcement in UMA 2.0 Protection API (CVE-2026-3190)
* Privilege escalation via manage-clients permission (CVE-2026-3121)
* Information disclosure due to redirect_uri validation bypass (CVE-2026-3872)
* Information disclosure of disabled user attributes via administrative endpoint (CVE-2026-3911)
* Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API (CVE-2026-3429)
* Information disclosure via authorization bypass in Admin API (CVE-2026-2366)
* Replay of action tokens via improper handling of single-use entries (CVE-2026-4325)
* UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources (CVE-2026-4636)
* Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw (CVE-2026-4282)
* Denial of Service via excessive processing of OpenID Connect scope parameters (CVE-2026-4634)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.
CWE-284 - Improper Access Control
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.
CWE-284 - Improper Access Control
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.
6.0 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.
CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
To mitigate this issue, configure the `refreshTokenMaxReuse` policy in Keycloak to a value greater than zero. This prevents the race condition by allowing a limited number of reuses for refresh tokens, thereby maintaining the integrity of the Refresh Token Rotation hardening measure. Consult Keycloak documentation for specific configuration instructions. Changes to Keycloak configuration typically require a service restart or redeployment to take effect.
A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.
5.8 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
CWE-639 - Authorization Bypass Through User-Controlled Key
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.
6.5 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.
4.3 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.
4.2 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.
7.3 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
To mitigate this vulnerability, avoid using wildcards in `redirect_uri` configurations within Keycloak. Restricting `redirect_uri` to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect.
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.
7.4 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.
5.3 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.
7.5 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.
8.1 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6477
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
References
Acknowledgments
securetackles
Muhammad Usman (HackerSSG)
Joshua Rogers
Indiesecurity
Mohamed Amine ait Ouchebou (mrecho)
Lucas Montes (Nirox)
Reynaldo Immanuel
Joy Gilbert
Independent Security Researcher
Evan Hendra
hamayanhamayan
drak3hft7
Ngọc Chung Kim
Slvrqn
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat build of Keycloak 26.4.11 packages are available from the Customer Portal",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak 26.4.11 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nSecurity fixes:\n* Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure (CVE-2025-14082)\n* Improper Access Control in Admin REST API leads to information disclosure (CVE-2025-14083)\n* keycloak-rhel9-operator: Keycloak IDOR in realm client creating/deleting (CVE-2025-14777)\n* Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition (CVE-2026-1035)\n* Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri (CVE-2026-1180)\n* Information Disclosure via improper role enforcement in UMA 2.0 Protection API (CVE-2026-3190)\n* Privilege escalation via manage-clients permission (CVE-2026-3121)\n* Information disclosure due to redirect_uri validation bypass (CVE-2026-3872)\n* Information disclosure of disabled user attributes via administrative endpoint (CVE-2026-3911)\n* Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API (CVE-2026-3429)\n* Information disclosure via authorization bypass in Admin API (CVE-2026-2366)\n* Replay of action tokens via improper handling of single-use entries (CVE-2026-4325)\n* UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources (CVE-2026-4636)\n* Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw (CVE-2026-4282)\n* Denial of Service via excessive processing of OpenID Connect scope parameters (CVE-2026-4634)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:6477",
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6477.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.4.11 Update",
"tracking": {
"current_release_date": "2026-04-02T16:39:24+00:00",
"generator": {
"date": "2026-04-02T16:39:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.4"
}
},
"id": "RHSA-2026:6477",
"initial_release_date": "2026-04-02T13:54:47+00:00",
"revision_history": [
{
"date": "2026-04-02T13:54:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-02T13:54:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-02T16:39:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.4.11",
"product": {
"name": "Red Hat build of Keycloak 26.4.11",
"product_id": "Red Hat build of Keycloak 26.4.11",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Muhammad Usman (HackerSSG)"
],
"organization": "securetackles"
}
],
"cve": "CVE-2025-14082",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2025-12-05T05:12:33.293000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419078"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak-services: Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The highest threat is to confidentiality. This flaw allows a remote authenticated attacker with high-privileged but restricted access to the Keycloak Admin REST API to retrieve sensitive role metadata, which can be used to map privilege structures and plan targeted privilege-escalation attempts.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-14082"
},
{
"category": "external",
"summary": "RHBZ#2419078",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419078"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-14082",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14082"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-14082",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14082"
}
],
"release_date": "2025-12-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak-services: Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure"
},
{
"acknowledgments": [
{
"names": [
"Muhammad Usman (HackerSSG)"
],
"organization": "securetackles"
}
],
"cve": "CVE-2025-14083",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2025-12-05T05:58:23.043000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419086"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat rates this as Low because the vulnerability allows a low-privileged user with \u0027create-client\u0027 permission to access internal user profile schema data, which is considered information disclosure. While this exposure of backend schema and rules could potentially be leveraged for targeted attacks or privilege escalation, it does not directly lead to immediate compromise of user accounts or system integrity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-14083"
},
{
"category": "external",
"summary": "RHBZ#2419086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419086"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-14083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14083"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-14083",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14083"
}
],
"release_date": "2025-12-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure"
},
{
"acknowledgments": [
{
"names": [
"Joshua Rogers"
]
}
],
"cve": "CVE-2025-14777",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2025-12-16T04:55:24.347000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2422596"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak IDOR in realm client creating/deleting",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-14777"
},
{
"category": "external",
"summary": "RHBZ#2422596",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2422596"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-14777",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14777"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-14777",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14777"
}
],
"release_date": "2025-12-16T04:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak IDOR in realm client creating/deleting"
},
{
"acknowledgments": [
{
"names": [
"Mohamed Amine ait Ouchebou (mrecho)"
],
"organization": "Indiesecurity"
}
],
"cve": "CVE-2026-1035",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"discovery_date": "2026-01-16T06:45:27.223000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430314"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak\u2019s refresh token rotation hardening can be undermined.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.protocol.oidc: Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated LOW for Red Hat. A race condition in the Keycloak TokenManager allows an attacker to bypass the refreshTokenMaxReuse security policy when it is explicitly configured for strict single-use (set to zero). This enables a single refresh token to be exchanged for multiple valid access tokens through concurrent requests, undermining the Refresh Token Rotation hardening measure.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-1035"
},
{
"category": "external",
"summary": "RHBZ#2430314",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430314"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-1035",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1035"
}
],
"release_date": "2026-01-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "To mitigate this issue, configure the `refreshTokenMaxReuse` policy in Keycloak to a value greater than zero. This prevents the race condition by allowing a limited number of reuses for refresh tokens, thereby maintaining the integrity of the Refresh Token Rotation hardening measure. Consult Keycloak documentation for specific configuration instructions. Changes to Keycloak configuration typically require a service restart or redeployment to take effect.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.keycloak.protocol.oidc: Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition"
},
{
"acknowledgments": [
{
"names": [
"Lucas Montes (Nirox)"
]
}
],
"cve": "CVE-2026-1180",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2026-01-19T07:32:59.317000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430781"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was identified in Keycloak\u2019s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.protocol.oidc: Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Moderate for Red Hat. The flaw in Keycloak\u0027s OIDC Dynamic Client Registration allows an attacker to force the Keycloak server to make requests to internal network resources via a crafted jwks_uri parameter. This can lead to information disclosure and internal network reconnaissance, particularly in configurations that permit anonymous or token-based client registration.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-1180"
},
{
"category": "external",
"summary": "RHBZ#2430781",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430781"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-1180",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1180"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1180",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1180"
}
],
"release_date": "2026-01-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak.protocol.oidc: Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri"
},
{
"acknowledgments": [
{
"names": [
"Reynaldo Immanuel",
"Joy Gilbert"
]
}
],
"cve": "CVE-2026-2366",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-02-11T19:56:33.601000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2439081"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim\u0027s unique identifier (UUID) and the Organizations feature is enabled.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure via authorization bypass in Admin API",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This LOW impact authorization bypass in the Keycloak Admin API allows an authenticated user to enumerate organization memberships of other users if their UUID is known. This occurs when the Organizations feature is enabled.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2366"
},
{
"category": "external",
"summary": "RHBZ#2439081",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439081"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2366",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2366"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2366",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2366"
}
],
"release_date": "2026-02-11T11:11:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Keycloak: Information disclosure via authorization bypass in Admin API"
},
{
"cve": "CVE-2026-3121",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2026-02-24T13:06:55.355000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2442277"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak/keycloak-services: Keycloak: Privilege escalation via manage-clients permission",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue was rated MODERATE. A privilege escalation flaw exists in Keycloak where an administrator with `manage-clients` permission can escalate privileges if \"Admin Permissions\" are enabled at the realm level.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3121"
},
{
"category": "external",
"summary": "RHBZ#2442277",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442277"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3121",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3121"
}
],
"release_date": "2026-02-24T11:11:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: org.keycloak/keycloak-services: Keycloak: Privilege escalation via manage-clients permission"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
],
"organization": "Independent Security Researcher"
}
],
"cve": "CVE-2026-3190",
"cwe": {
"id": "CWE-280",
"name": "Improper Handling of Insufficient Permissions or Privileges "
},
"discovery_date": "2026-02-25T08:27:54.804000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2442572"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information Disclosure via improper role enforcement in UMA 2.0 Protection API",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The issue was rated as Moderate. This flaw in Keycloak allows information disclosure due to improper role enforcement in the UMA 2.0 Protection API. An authenticated user with a token issued for a resource server client, even without the `uma_protection` role, can enumerate all permission tickets in the system.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3190"
},
{
"category": "external",
"summary": "RHBZ#2442572",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442572"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3190",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3190"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3190",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3190"
}
],
"release_date": "2026-02-25T07:07:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Information Disclosure via improper role enforcement in UMA 2.0 Protection API"
},
{
"acknowledgments": [
{
"names": [
"hamayanhamayan"
]
}
],
"cve": "CVE-2026-3429",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2026-03-02T09:10:32.484000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2443771"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim\u2019s password can delete the victim\u2019s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.services.resources.account: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This MODERATE impact vulnerability in the Keycloak Account REST API allows an attacker with a victim\u0027s primary credentials to bypass multi-factor authentication (MFA). By exploiting insufficient validation of the authentication Level of Assurance (LoA), an attacker can delete a victim\u0027s registered MFA device and register their own, leading to full account takeover. This requires network access and valid credentials, but no user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3429"
},
{
"category": "external",
"summary": "RHBZ#2443771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3429",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3429"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3429",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3429"
}
],
"release_date": "2026-03-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak.services.resources.account: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API"
},
{
"cve": "CVE-2026-3872",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2026-03-10T09:16:29.034000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2445988"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure due to redirect_uri validation bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure flaw in Keycloak\u0027s `redirect_uri` validation logic. An attacker controlling another path on the same web server could bypass allowed paths in wildcard `redirect_uri` configurations, potentially leading to access token theft. This affects Red Hat Build of Keycloak (RHBK) versions rhbk-26.2 and rhbk-26.4. Red Hat Build of Keycloak (RHBK) version rhbk-26 is not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3872"
},
{
"category": "external",
"summary": "RHBZ#2445988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445988"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3872",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3872"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3872",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3872"
}
],
"release_date": "2026-04-02T12:30:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, avoid using wildcards in `redirect_uri` configurations within Keycloak. Restricting `redirect_uri` to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Information disclosure due to redirect_uri validation bypass"
},
{
"acknowledgments": [
{
"names": [
"drak3hft7"
]
}
],
"cve": "CVE-2026-3911",
"cwe": {
"id": "CWE-359",
"name": "Exposure of Private Personal Information to an Unauthorized Actor"
},
"discovery_date": "2026-03-11T03:30:01.455000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2446392"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.services.resources.admin.UserResource: Keycloak: Information disclosure of disabled user attributes via administrative endpoint",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a LOW impact flaw in Keycloak where disabled unmanaged user attributes are disclosed. An authenticated user with the `view-users` role can access attributes that are configured to be hidden from both users and administrators, violating the intended privacy settings.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3911"
},
{
"category": "external",
"summary": "RHBZ#2446392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3911",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3911"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3911",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3911"
}
],
"release_date": "2026-03-11T03:30:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.keycloak.services.resources.admin.UserResource: Keycloak: Information disclosure of disabled user attributes via administrative endpoint"
},
{
"cve": "CVE-2026-4282",
"cwe": {
"id": "CWE-653",
"name": "Improper Isolation or Compartmentalization"
},
"discovery_date": "2026-03-16T15:53:57.767000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448061"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an IMPORTANT vulnerability in Keycloak. An unauthenticated attacker can exploit a lack of type and namespace isolation in Keycloak\u0027s SingleUseObjectProvider to forge authorization codes and obtain admin-capable access tokens. This could lead to unauthorized administrative access within affected Keycloak deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4282"
},
{
"category": "external",
"summary": "RHBZ#2448061",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448061"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4282",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4282"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4282",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4282"
}
],
"release_date": "2026-04-02T12:30:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw"
},
{
"acknowledgments": [
{
"names": [
"Ng\u1ecdc Chung Kim"
]
}
],
"cve": "CVE-2026-4325",
"cwe": {
"id": "CWE-653",
"name": "Improper Isolation or Compartmentalization"
},
"discovery_date": "2026-03-17T12:43:09.194000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448351"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Replay of action tokens via improper handling of single-use entries",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw in Keycloak\u0027s SingleUseObjectProvider has a MODERATE impact. It allows an attacker to delete arbitrary single-use entries, which could lead to the replay of consumed action tokens such as password reset links. Exploitation requires high attack complexity and user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4325"
},
{
"category": "external",
"summary": "RHBZ#2448351",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448351"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4325",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4325"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4325",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4325"
}
],
"release_date": "2026-04-02T12:30:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Replay of action tokens via improper handling of single-use entries"
},
{
"acknowledgments": [
{
"names": [
"Slvrqn"
]
}
],
"cve": "CVE-2026-4634",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-03-23T08:40:02.817000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2450250"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service via excessive processing of OpenID Connect scope parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in Red Hat Build of Keycloak (RHBK). An unauthenticated attacker can exploit this flaw by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect token endpoint, leading to high resource consumption and prolonged processing times on the Keycloak server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4634"
},
{
"category": "external",
"summary": "RHBZ#2450250",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450250"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4634",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4634"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4634",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4634"
}
],
"release_date": "2026-04-02T12:30:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Denial of Service via excessive processing of OpenID Connect scope parameters"
},
{
"cve": "CVE-2026-4636",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-03-23T08:15:12.427000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2450251"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important vulnerability in Keycloak allows an authenticated user with the `uma_protection` role to bypass User-Managed Access (UMA) policy validation. Exploitation requires that victim users have created UMA-protected resources with `ownerManagedAccess` enabled and that authorization services are enabled on the client. This flaw enables an attacker to gain unauthorized permissions to victim-owned resources within Red Hat Build of Keycloak.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.11"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4636"
},
{
"category": "external",
"summary": "RHBZ#2450251",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450251"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4636",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4636"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4636",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4636"
}
],
"release_date": "2026-04-02T12:30:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:54:47+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.11"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources."
}
]
}
RHSA-2026:6478
Vulnerability from csaf_redhat - Published: 2026-04-02 13:58 - Updated: 2026-04-02 16:39Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.4.11 Images Update
Severity
Important
Notes
Topic: New images are available for Red Hat build of Keycloak 26.4.11 and Red Hat build of Keycloak 26.4.11 Operator, running on OpenShift Container Platform
Details: Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.
Red Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.4.11 clusters.
This erratum releases new images for Red Hat build of Keycloak 26.4.11 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.
Security fixes:
* Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure (CVE-2025-14082)
* Improper Access Control in Admin REST API leads to information disclosure (CVE-2025-14083)
* keycloak-rhel9-operator: Keycloak IDOR in realm client creating/deleting (CVE-2025-14777)
* Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition (CVE-2026-1035)
* Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri (CVE-2026-1180)
* Information Disclosure via improper role enforcement in UMA 2.0 Protection API (CVE-2026-3190)
* Privilege escalation via manage-clients permission (CVE-2026-3121)
* Information disclosure due to redirect_uri validation bypass (CVE-2026-3872)
* Information disclosure of disabled user attributes via administrative endpoint (CVE-2026-3911)
* Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API (CVE-2026-3429)
* Information disclosure via authorization bypass in Admin API (CVE-2026-2366)
* Replay of action tokens via improper handling of single-use entries (CVE-2026-4325)
* UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources (CVE-2026-4636)
* Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw (CVE-2026-4282)
* Denial of Service via excessive processing of OpenID Connect scope parameters (CVE-2026-4634)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.
CWE-284 - Improper Access Control
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.
CWE-284 - Improper Access Control
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.
6.0 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.
CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
To mitigate this issue, configure the `refreshTokenMaxReuse` policy in Keycloak to a value greater than zero. This prevents the race condition by allowing a limited number of reuses for refresh tokens, thereby maintaining the integrity of the Refresh Token Rotation hardening measure. Consult Keycloak documentation for specific configuration instructions. Changes to Keycloak configuration typically require a service restart or redeployment to take effect.
A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.
5.8 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
CWE-639 - Authorization Bypass Through User-Controlled Key
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.
6.5 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.
4.3 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.
4.2 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.
7.3 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
To mitigate this vulnerability, avoid using wildcards in `redirect_uri` configurations within Keycloak. Restricting `redirect_uri` to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect.
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.
7.4 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.
5.3 (Medium)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.
7.5 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.
8.1 (High)
Vendor Fix
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
https://access.redhat.com/errata/RHSA-2026:6478
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
References
| URL | Category | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Acknowledgments
securetackles
Muhammad Usman (HackerSSG)
Joshua Rogers
Indiesecurity
Mohamed Amine ait Ouchebou (mrecho)
Lucas Montes (Nirox)
Reynaldo Immanuel
Joy Gilbert
Independent Security Researcher
Evan Hendra
hamayanhamayan
drak3hft7
Ngọc Chung Kim
Slvrqn
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New images are available for Red Hat build of Keycloak 26.4.11 and Red Hat build of Keycloak 26.4.11 Operator, running on OpenShift Container Platform",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\nRed Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.4.11 clusters.\n\nThis erratum releases new images for Red Hat build of Keycloak 26.4.11 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity fixes:\n* Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure (CVE-2025-14082)\n* Improper Access Control in Admin REST API leads to information disclosure (CVE-2025-14083)\n* keycloak-rhel9-operator: Keycloak IDOR in realm client creating/deleting (CVE-2025-14777)\n* Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition (CVE-2026-1035)\n* Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri (CVE-2026-1180)\n* Information Disclosure via improper role enforcement in UMA 2.0 Protection API (CVE-2026-3190)\n* Privilege escalation via manage-clients permission (CVE-2026-3121)\n* Information disclosure due to redirect_uri validation bypass (CVE-2026-3872)\n* Information disclosure of disabled user attributes via administrative endpoint (CVE-2026-3911)\n* Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API (CVE-2026-3429)\n* Information disclosure via authorization bypass in Admin API (CVE-2026-2366)\n* Replay of action tokens via improper handling of single-use entries (CVE-2026-4325)\n* UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources (CVE-2026-4636)\n* Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw (CVE-2026-4282)\n* Denial of Service via excessive processing of OpenID Connect scope parameters (CVE-2026-4634)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:6478",
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6478.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.4.11 Images Update",
"tracking": {
"current_release_date": "2026-04-02T16:39:25+00:00",
"generator": {
"date": "2026-04-02T16:39:25+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.4"
}
},
"id": "RHSA-2026:6478",
"initial_release_date": "2026-04-02T13:58:01+00:00",
"revision_history": [
{
"date": "2026-04-02T13:58:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-02T13:58:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-02T16:39:25+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.4",
"product": {
"name": "Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"product_id": "rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-14"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-14"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64",
"product_id": "rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-14"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"product": {
"name": "rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"product_id": "rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-operator-bundle\u0026tag=26.4.11-1"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-14"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"product_id": "rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-14"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-14"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"product_id": "rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-14"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-14"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64"
},
"product_reference": "rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Muhammad Usman (HackerSSG)"
],
"organization": "securetackles"
}
],
"cve": "CVE-2025-14082",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2025-12-05T05:12:33.293000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419078"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak-services: Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The highest threat is to confidentiality. This flaw allows a remote authenticated attacker with high-privileged but restricted access to the Keycloak Admin REST API to retrieve sensitive role metadata, which can be used to map privilege structures and plan targeted privilege-escalation attempts.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-14082"
},
{
"category": "external",
"summary": "RHBZ#2419078",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419078"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-14082",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14082"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-14082",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14082"
}
],
"release_date": "2025-12-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak-services: Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure"
},
{
"acknowledgments": [
{
"names": [
"Muhammad Usman (HackerSSG)"
],
"organization": "securetackles"
}
],
"cve": "CVE-2025-14083",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2025-12-05T05:58:23.043000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419086"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat rates this as Low because the vulnerability allows a low-privileged user with \u0027create-client\u0027 permission to access internal user profile schema data, which is considered information disclosure. While this exposure of backend schema and rules could potentially be leveraged for targeted attacks or privilege escalation, it does not directly lead to immediate compromise of user accounts or system integrity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-14083"
},
{
"category": "external",
"summary": "RHBZ#2419086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419086"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-14083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14083"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-14083",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14083"
}
],
"release_date": "2025-12-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure"
},
{
"acknowledgments": [
{
"names": [
"Joshua Rogers"
]
}
],
"cve": "CVE-2025-14777",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2025-12-16T04:55:24.347000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2422596"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak IDOR in realm client creating/deleting",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-14777"
},
{
"category": "external",
"summary": "RHBZ#2422596",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2422596"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-14777",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14777"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-14777",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14777"
}
],
"release_date": "2025-12-16T04:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak IDOR in realm client creating/deleting"
},
{
"acknowledgments": [
{
"names": [
"Mohamed Amine ait Ouchebou (mrecho)"
],
"organization": "Indiesecurity"
}
],
"cve": "CVE-2026-1035",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"discovery_date": "2026-01-16T06:45:27.223000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430314"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak\u2019s refresh token rotation hardening can be undermined.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.protocol.oidc: Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated LOW for Red Hat. A race condition in the Keycloak TokenManager allows an attacker to bypass the refreshTokenMaxReuse security policy when it is explicitly configured for strict single-use (set to zero). This enables a single refresh token to be exchanged for multiple valid access tokens through concurrent requests, undermining the Refresh Token Rotation hardening measure.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-1035"
},
{
"category": "external",
"summary": "RHBZ#2430314",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430314"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-1035",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1035"
}
],
"release_date": "2026-01-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "To mitigate this issue, configure the `refreshTokenMaxReuse` policy in Keycloak to a value greater than zero. This prevents the race condition by allowing a limited number of reuses for refresh tokens, thereby maintaining the integrity of the Refresh Token Rotation hardening measure. Consult Keycloak documentation for specific configuration instructions. Changes to Keycloak configuration typically require a service restart or redeployment to take effect.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.keycloak.protocol.oidc: Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition"
},
{
"acknowledgments": [
{
"names": [
"Lucas Montes (Nirox)"
]
}
],
"cve": "CVE-2026-1180",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2026-01-19T07:32:59.317000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430781"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was identified in Keycloak\u2019s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.protocol.oidc: Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Moderate for Red Hat. The flaw in Keycloak\u0027s OIDC Dynamic Client Registration allows an attacker to force the Keycloak server to make requests to internal network resources via a crafted jwks_uri parameter. This can lead to information disclosure and internal network reconnaissance, particularly in configurations that permit anonymous or token-based client registration.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-1180"
},
{
"category": "external",
"summary": "RHBZ#2430781",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430781"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-1180",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1180"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1180",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1180"
}
],
"release_date": "2026-01-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak.protocol.oidc: Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri"
},
{
"acknowledgments": [
{
"names": [
"Reynaldo Immanuel",
"Joy Gilbert"
]
}
],
"cve": "CVE-2026-2366",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-02-11T19:56:33.601000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2439081"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim\u0027s unique identifier (UUID) and the Organizations feature is enabled.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure via authorization bypass in Admin API",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This LOW impact authorization bypass in the Keycloak Admin API allows an authenticated user to enumerate organization memberships of other users if their UUID is known. This occurs when the Organizations feature is enabled.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2366"
},
{
"category": "external",
"summary": "RHBZ#2439081",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439081"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2366",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2366"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2366",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2366"
}
],
"release_date": "2026-02-11T11:11:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Keycloak: Information disclosure via authorization bypass in Admin API"
},
{
"cve": "CVE-2026-3121",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2026-02-24T13:06:55.355000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2442277"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak/keycloak-services: Keycloak: Privilege escalation via manage-clients permission",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue was rated MODERATE. A privilege escalation flaw exists in Keycloak where an administrator with `manage-clients` permission can escalate privileges if \"Admin Permissions\" are enabled at the realm level.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3121"
},
{
"category": "external",
"summary": "RHBZ#2442277",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442277"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3121",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3121"
}
],
"release_date": "2026-02-24T11:11:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: org.keycloak/keycloak-services: Keycloak: Privilege escalation via manage-clients permission"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
],
"organization": "Independent Security Researcher"
}
],
"cve": "CVE-2026-3190",
"cwe": {
"id": "CWE-280",
"name": "Improper Handling of Insufficient Permissions or Privileges "
},
"discovery_date": "2026-02-25T08:27:54.804000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2442572"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information Disclosure via improper role enforcement in UMA 2.0 Protection API",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The issue was rated as Moderate. This flaw in Keycloak allows information disclosure due to improper role enforcement in the UMA 2.0 Protection API. An authenticated user with a token issued for a resource server client, even without the `uma_protection` role, can enumerate all permission tickets in the system.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3190"
},
{
"category": "external",
"summary": "RHBZ#2442572",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442572"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3190",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3190"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3190",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3190"
}
],
"release_date": "2026-02-25T07:07:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Information Disclosure via improper role enforcement in UMA 2.0 Protection API"
},
{
"acknowledgments": [
{
"names": [
"hamayanhamayan"
]
}
],
"cve": "CVE-2026-3429",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2026-03-02T09:10:32.484000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2443771"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim\u2019s password can delete the victim\u2019s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.services.resources.account: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This MODERATE impact vulnerability in the Keycloak Account REST API allows an attacker with a victim\u0027s primary credentials to bypass multi-factor authentication (MFA). By exploiting insufficient validation of the authentication Level of Assurance (LoA), an attacker can delete a victim\u0027s registered MFA device and register their own, leading to full account takeover. This requires network access and valid credentials, but no user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3429"
},
{
"category": "external",
"summary": "RHBZ#2443771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3429",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3429"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3429",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3429"
}
],
"release_date": "2026-03-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak.services.resources.account: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API"
},
{
"cve": "CVE-2026-3872",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2026-03-10T09:16:29.034000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2445988"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure due to redirect_uri validation bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure flaw in Keycloak\u0027s `redirect_uri` validation logic. An attacker controlling another path on the same web server could bypass allowed paths in wildcard `redirect_uri` configurations, potentially leading to access token theft. This affects Red Hat Build of Keycloak (RHBK) versions rhbk-26.2 and rhbk-26.4. Red Hat Build of Keycloak (RHBK) version rhbk-26 is not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3872"
},
{
"category": "external",
"summary": "RHBZ#2445988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445988"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3872",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3872"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3872",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3872"
}
],
"release_date": "2026-04-02T12:30:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, avoid using wildcards in `redirect_uri` configurations within Keycloak. Restricting `redirect_uri` to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Information disclosure due to redirect_uri validation bypass"
},
{
"acknowledgments": [
{
"names": [
"drak3hft7"
]
}
],
"cve": "CVE-2026-3911",
"cwe": {
"id": "CWE-359",
"name": "Exposure of Private Personal Information to an Unauthorized Actor"
},
"discovery_date": "2026-03-11T03:30:01.455000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2446392"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.services.resources.admin.UserResource: Keycloak: Information disclosure of disabled user attributes via administrative endpoint",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a LOW impact flaw in Keycloak where disabled unmanaged user attributes are disclosed. An authenticated user with the `view-users` role can access attributes that are configured to be hidden from both users and administrators, violating the intended privacy settings.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-3911"
},
{
"category": "external",
"summary": "RHBZ#2446392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-3911",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3911"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3911",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3911"
}
],
"release_date": "2026-03-11T03:30:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.keycloak.services.resources.admin.UserResource: Keycloak: Information disclosure of disabled user attributes via administrative endpoint"
},
{
"cve": "CVE-2026-4282",
"cwe": {
"id": "CWE-653",
"name": "Improper Isolation or Compartmentalization"
},
"discovery_date": "2026-03-16T15:53:57.767000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448061"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an IMPORTANT vulnerability in Keycloak. An unauthenticated attacker can exploit a lack of type and namespace isolation in Keycloak\u0027s SingleUseObjectProvider to forge authorization codes and obtain admin-capable access tokens. This could lead to unauthorized administrative access within affected Keycloak deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4282"
},
{
"category": "external",
"summary": "RHBZ#2448061",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448061"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4282",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4282"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4282",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4282"
}
],
"release_date": "2026-04-02T12:30:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw"
},
{
"acknowledgments": [
{
"names": [
"Ng\u1ecdc Chung Kim"
]
}
],
"cve": "CVE-2026-4325",
"cwe": {
"id": "CWE-653",
"name": "Improper Isolation or Compartmentalization"
},
"discovery_date": "2026-03-17T12:43:09.194000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448351"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Replay of action tokens via improper handling of single-use entries",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw in Keycloak\u0027s SingleUseObjectProvider has a MODERATE impact. It allows an attacker to delete arbitrary single-use entries, which could lead to the replay of consumed action tokens such as password reset links. Exploitation requires high attack complexity and user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4325"
},
{
"category": "external",
"summary": "RHBZ#2448351",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448351"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4325",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4325"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4325",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4325"
}
],
"release_date": "2026-04-02T12:30:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Replay of action tokens via improper handling of single-use entries"
},
{
"acknowledgments": [
{
"names": [
"Slvrqn"
]
}
],
"cve": "CVE-2026-4634",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-03-23T08:40:02.817000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2450250"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service via excessive processing of OpenID Connect scope parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in Red Hat Build of Keycloak (RHBK). An unauthenticated attacker can exploit this flaw by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect token endpoint, leading to high resource consumption and prolonged processing times on the Keycloak server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4634"
},
{
"category": "external",
"summary": "RHBZ#2450250",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450250"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4634",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4634"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4634",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4634"
}
],
"release_date": "2026-04-02T12:30:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Denial of Service via excessive processing of OpenID Connect scope parameters"
},
{
"cve": "CVE-2026-4636",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-03-23T08:15:12.427000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2450251"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important vulnerability in Keycloak allows an authenticated user with the `uma_protection` role to bypass User-Managed Access (UMA) policy validation. Exploitation requires that victim users have created UMA-protected resources with `ownerManagedAccess` enabled and that authorization services are enabled on the client. This flaw enables an attacker to gain unauthorized permissions to victim-owned resources within Red Hat Build of Keycloak.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4636"
},
{
"category": "external",
"summary": "RHBZ#2450251",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450251"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4636",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4636"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4636",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4636"
}
],
"release_date": "2026-04-02T12:30:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T13:58:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources."
}
]
}
FKIE_CVE-2026-1035
Vulnerability from fkie_nvd - Published: 2026-01-21 06:15 - Updated: 2026-04-02 14:16
Severity ?
Summary
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak\u2019s refresh token rotation hardening can be undermined."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una falla en el servidor Keycloak durante el procesamiento de tokens de actualizaci\u00f3n, espec\u00edficamente en la clase TokenManager responsable de aplicar las pol\u00edticas de reutilizaci\u00f3n de tokens de actualizaci\u00f3n. Cuando la rotaci\u00f3n estricta de tokens de actualizaci\u00f3n est\u00e1 habilitada, la validaci\u00f3n y actualizaci\u00f3n del uso del token de actualizaci\u00f3n no se realizan de forma at\u00f3mica. Esto permite que las solicitudes de actualizaci\u00f3n concurrentes eludan la aplicaci\u00f3n del uso \u00fanico y emitan m\u00faltiples tokens de acceso desde el mismo token de actualizaci\u00f3n. Como resultado, el endurecimiento de la rotaci\u00f3n de tokens de actualizaci\u00f3n de Keycloak puede verse socavado."
}
],
"id": "CVE-2026-1035",
"lastModified": "2026-04-02T14:16:25.143",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
},
"published": "2026-01-21T06:15:46.937",
"references": [
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/security/cve/CVE-2026-1035"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430314"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-367"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
}
GHSA-M2W5-7XHV-W6FH
Vulnerability from github – Published: 2026-01-21 06:31 – Updated: 2026-04-02 15:31
VLAI?
Summary
Keycloak does not validate and update refresh token usage atomically
Details
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "26.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-1035"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-21T22:29:46Z",
"nvd_published_at": "2026-01-21T06:15:46Z",
"severity": "LOW"
},
"details": "A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak\u2019s refresh token rotation hardening can be undermined.",
"id": "GHSA-m2w5-7xhv-w6fh",
"modified": "2026-04-02T15:31:34Z",
"published": "2026-01-21T06:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1035"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/45647"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-1035"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430314"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak does not validate and update refresh token usage atomically"
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…