CVE-2026-2733

Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol

CVSS 3.8 LOWEPSS 0.3%CWE-285

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Productos afectados

Red Hat · Red Hat Build of Keycloak Red Hat · Red Hat build of Keycloak 26.4 Red Hat · Red Hat build of Keycloak 26.4.10 Red Hat · Red Hat JBoss Enterprise Application Platform 8 Red Hat · Red Hat JBoss Enterprise Application Platform Expansion Pack Red Hat · Red Hat Single Sign-On 7

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://access.redhat.com/errata/RHSA-2026:3947 https://access.redhat.com/errata/RHSA-2026:3948 https://access.redhat.com/security/cve/CVE-2026-2733 https://bugzilla.redhat.com/show_bug.cgi?id=2440895