Authentication Token Vulnerability in Keycloak's Docker Registry Client
CVE-2026-2733

3.8LOW

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.10
Red Hat Build Of Keycloak
Red Hat Jboss Enterprise Application Platform 8
Vendor
CVE Published:
19 February 2026

What is CVE-2026-2733?

A vulnerability exists in Keycloak's Docker v2 authentication endpoint where authentication tokens are issued even after a Docker registry client has been disabled by administrators. Disabling the client does not fully revoke access, allowing previously valid credentials to continue fetching authentication tokens. This oversight undermines administrative control and exposes container registry resources to potential unauthorized access, posing a significant security risk.

Affected Version(s)

Red Hat build of Keycloak 26.4 26.4.10-1

Red Hat build of Keycloak 26.4 26.4-12

Red Hat build of Keycloak 26.4 26.4-12

References

https://access.redhat.com/errata/RHSA-2026:3947
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:3948
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-2733
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
3.8
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.