VDB
CVE-2026-4282
CVE-2026-4282
PUBLISHED
CVSS 7.400000095367432 HIGH
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.
EPSS 0.02% · 5.7th percentile
Risk Scores
CVSS v3.1
7.400000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
0.02%
5.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-14 |
| Red Hat | Red Hat build of Keycloak 26.4.11 | |
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2.15-1 |
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2-18 |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-14 |
| Red Hat | Red Hat build of Keycloak 26.2.15 | |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4.11-1 |
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2-18 |
Timeline
- Apr 2, 2026 CVE Published
- Apr 2, 2026 PoC Published
- Apr 2, 2026 PoC Published
- Apr 2, 2026 Distribution Patch
- Apr 2, 2026 Security Advisory
- Apr 2, 2026 Distribution Patch
- Apr 2, 2026 Security Advisory
- Apr 2, 2026 Distribution Patch
- Apr 2, 2026 Security Advisory
- Apr 2, 2026 Distribution Patch
- Apr 2, 2026 Security Advisory
- Apr 2, 2026 Security Advisory
References
- RHSA-2026:6475 vendor-advisory
- RHSA-2026:6476 vendor-advisory
- RHSA-2026:6477 vendor-advisory
- RHSA-2026:6478 vendor-advisory
- https://access.redhat.com/security/cve/CVE-2026-4282 vdb
- RHBZ#2448061 issue
- https://nvd.nist.gov/vuln/detail/CVE-2026-4282 advisory