CVE-2026-4282: Keycloak Privilege Escalation Vulnerability
Platform
java
Component
keycloak
Fixed in
*
CVE-2026-4282 describes a privilege escalation vulnerability in Keycloak. Specifically, the SingleUseObjectProvider lacks proper type and namespace isolation, enabling unauthenticated attackers to forge authorization codes. Successful exploitation allows creation of admin-capable access tokens, leading to privilege escalation. This affects all versions of Keycloak. A fix is available.
How to fix
Actualice Keycloak a la versión 26.2.16 o superior, o a la versión 26.4.15 o superior para mitigar la vulnerabilidad. Esta actualización corrige una falla de aislamiento en el SingleUseObjectProvider que permite la falsificación de códigos de autorización y la escalada de privilegios.
Frequently asked questions
What is CVE-2026-4282?
CVE-2026-4282 is a privilege escalation vulnerability in Keycloak. It allows unauthenticated attackers to forge authorization codes and gain administrative privileges.
Am I affected by CVE-2026-4282?
You are affected if you are using any version of Keycloak, as the vulnerability impacts all versions. Successful exploitation can lead to a complete compromise of your Keycloak instance.
How do I fix CVE-2026-4282?
A fix is available. Upgrade your Keycloak instance to the latest version to patch the vulnerability and prevent unauthorized privilege escalation.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free