Keycloak: SingleUseObjectProvider Lacks Isolation, Enabling Unauth Code Forgery
CVE-2026-4282 Published on April 2, 2026
Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.
Vulnerability Analysis
CVE-2026-4282 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Timeline
Reported to Red Hat.
Made public. 17 days later.
Weakness Type
What is a Separation of Privilege Vulnerability?
The product does not sufficiently compartmentalize functionality or processes that require different privilege levels, rights, or permissions. When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users.
CVE-2026-4282 has been classified to as a Separation of Privilege vulnerability or weakness.
Products Associated with CVE-2026-4282
Want to know whenever a new CVE is published for Red Hat Build Keycloak? stack.watch will email you.
Affected Versions
Red Hat build of Keycloak 26.2:- Version 26.2.15-1 and below * is unaffected.
- Version 26.2-18 and below * is unaffected.
- Version 26.2-18 and below * is unaffected.
- Version 26.4.11-1 and below * is unaffected.
- Version 26.4-14 and below * is unaffected.
- Version 26.4-14 and below * is unaffected.