CVE-2026-2733 identifies an improper authorization vulnerability in the Docker v2 authentication endpoint of the Red Hat Build of Keycloak. Specifically, when a Docker registry client is administratively disabled by setting its “Enabled” flag to OFF, the system erroneously continues to issue authentication tokens if previously valid credentials are presented. This indicates a failure in the authorization logic that should prevent token issuance once a client is disabled. The flaw undermines the intended administrative control mechanism designed to revoke access by disabling clients. Attackers or unauthorized users with previously valid credentials can exploit this weakness to obtain authentication tokens and gain access to container registry resources that should have been restricted. The vulnerability has a CVSS 3.1 base score of 3.8, reflecting low severity due to the requirement for high privileges (PR:H) to exploit, no user interaction, and limited impact on confidentiality and integrity. No known public exploits or active exploitation have been reported. The issue highlights the importance of robust token issuance and client state validation in authentication services, especially those managing container registries where unauthorized access could lead to supply chain risks or data exposure.

For European organizations, this vulnerability could weaken administrative controls over container registry access, potentially allowing unauthorized access to container images and related resources. While the severity is low, the impact on confidentiality and integrity is non-negligible, especially for organizations relying heavily on containerized deployments and DevOps pipelines. Unauthorized access to container registries could lead to exposure of proprietary or sensitive container images, insertion of malicious code into images, or disruption of deployment workflows. This risk is particularly relevant for sectors with stringent compliance requirements such as finance, healthcare, and critical infrastructure. However, the requirement for high privileges to exploit limits the threat to insiders or attackers who have already gained elevated access. The absence of known exploits reduces immediate risk but does not eliminate the need for remediation. Organizations with extensive use of Red Hat Build of Keycloak in their container infrastructure should assess their exposure and strengthen monitoring of authentication token issuance and client status changes.

To mitigate this vulnerability, European organizations should: 1) Apply any available patches or updates from Red Hat promptly once released, as the current information does not list patch links but updates are expected. 2) Implement additional access controls around the management of Docker registry clients, including multi-factor authentication and strict role-based access control to limit who can disable clients. 3) Monitor authentication token issuance logs for anomalies, especially tokens issued to clients that have been administratively disabled. 4) Consider implementing short-lived tokens or token revocation mechanisms to reduce the window of unauthorized access. 5) Review and audit container registry client configurations regularly to ensure disabled clients are not inadvertently issuing tokens. 6) Employ network segmentation and container image scanning to detect and prevent unauthorized access or tampering. 7) Educate administrators about the limitations of the current client disablement mechanism and encourage manual verification of access revocation.