CVE-2026-2733

Published: Feb 19, 2026Modified: Mar 5, 2026

3.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Exploitability: 1.2 / Impact: 2.5

Source: secalert@redhat.com (Secondary)

Description

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.

Related CWEs

CWE-285

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (4)

https://access.redhat.com/errata/RHSA-2026:3947

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2026:3948

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2026-2733

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2440895

Source: secalert@redhat.com

Timeline

No history available yet.