CVE-2026-4282
Published: 02 April 2026
Summary
CVE-2026-4282 is a high-severity Improper Isolation or Compartmentalization (CWE-653) vulnerability in Redhat Build Of Keycloak. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation of the flaw in Keycloak's SingleUseObjectProvider through application of vendor patches like Red Hat errata.
Enforces approved authorizations and proper type/namespace isolation on the global key-value store to prevent unauthorized access and forgery of authorization codes.
Limits the impact of forged authorization codes by ensuring access tokens are granted only least privileges necessary, reducing privilege escalation to admin capabilities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated forging of authorization codes in a public-facing IAM service to obtain admin access tokens, directly mapping to exploitation for privilege escalation (T1068) via a public-facing application (T1190).
NVD Description
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting…
more
in privilege escalation.
Deeper analysisAI
CVE-2026-4282 is a vulnerability in Keycloak, an open-source identity and access management solution. The issue resides in the SingleUseObjectProvider, a global key-value store that lacks proper type and namespace isolation. This flaw enables an unauthenticated attacker to forge authorization codes, which can be exploited to create access tokens with administrative capabilities, resulting in privilege escalation. The vulnerability has a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-653.
An unauthenticated attacker with network access can exploit this vulnerability, though it requires high attack complexity. By forging authorization codes due to the inadequate isolation in the SingleUseObjectProvider, the attacker can obtain admin-capable access tokens. This leads to unauthorized privilege escalation, potentially allowing full administrative control over the Keycloak instance.
Red Hat has released multiple errata addressing this vulnerability, including RHSA-2026:6475, RHSA-2026:6476, RHSA-2026:6477, and RHSA-2026:6478, which provide patches for affected Keycloak deployments. Additional details are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-4282.
Details
- CWE(s)