CVE-2026-2733 LOW

CVE-2026-2733: Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol

Vendor Red Hat
Product Red Hat build of Keycloak 26.4.10
Weakness CWE-285
Published February 19, 2026
Last update March 6, 2026

CVSS base score

3.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.

Key dates

02Disclosure timeline

February 19, 2026 CVE published
March 6, 2026 Record updated