logo

Database

Lack of isolation methods In org.keycloak:keycloak-services

Description

Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-42822. NVD-2026-42823. OSV-2026-42824. GCVE-2026-42825. access.redhat.com6. access.redhat.com7. access.redhat.com8. access.redhat.com9. ACCESS-CVE-2026-4282

References

1. https://github.com/keycloak/keycloak/issues/477192. https://github.com/keycloak/keycloak/commit/9046f201125a6fd6be9c116b99d348509d99d4a53. https://bugzilla.redhat.com/show_bug.cgi?id=2448061

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.