CVE-2026-2733 identifies an improper authorization vulnerability in the Docker v2 authentication endpoint of the Red Hat build of Keycloak version 26.4. Keycloak is an open-source identity and access management solution widely used for authentication and authorization, including integration with container registries. The vulnerability arises because when an administrator disables a Docker registry client by toggling its 'Enabled' setting to OFF, the system fails to fully revoke access. Specifically, tokens continue to be issued to clients using previously valid credentials despite the administrative disablement. This flaw undermines the administrative control mechanism designed to restrict access to container registry resources. The issue affects the confidentiality and integrity of the authentication process, as unauthorized token issuance can lead to unintended access to container images and related resources. The vulnerability requires an attacker to have high privileges (PR:H) but does not require user interaction (UI:N) and can be exploited remotely (AV:N). The scope is unchanged (S:U), meaning the impact is limited to the affected component. The CVSS v3.1 base score is 3.8, reflecting low severity due to the requirement of high privileges and limited impact on availability. No known exploits have been reported in the wild, indicating limited active exploitation at present. However, the flaw weakens a critical security control in container registry authentication, which is a sensitive area given the importance of container security in modern DevOps and cloud environments.

The primary impact of this vulnerability is the weakening of administrative controls over Docker registry clients integrated with Keycloak. Organizations relying on Keycloak 26.4 to manage authentication for container registries may find that disabling a client does not fully prevent access, allowing previously valid credentials to continue obtaining authentication tokens. This can lead to unauthorized access to container images, potentially exposing sensitive application code, configurations, or proprietary software. Such unauthorized access could facilitate further attacks, including supply chain compromises or unauthorized deployments. Although the vulnerability requires high privileges to exploit, insider threats or compromised administrative accounts could leverage this flaw to maintain or regain access despite administrative attempts to revoke it. The impact on confidentiality and integrity is moderate, while availability is not affected. Given the widespread adoption of container technologies and Keycloak in enterprise environments, this vulnerability could affect organizations globally, especially those with mature containerized application deployments and strict access control requirements.

To mitigate CVE-2026-2733, organizations should apply any patches or updates provided by Red Hat for Keycloak 26.4 as soon as they become available. In the absence of an immediate patch, administrators should implement compensating controls such as: 1) Rotating credentials and tokens associated with disabled Docker registry clients to invalidate previously issued tokens. 2) Monitoring and auditing token issuance logs to detect anomalous or unauthorized token generation. 3) Restricting administrative privileges to minimize the risk of misuse or compromise of accounts capable of managing Docker registry clients. 4) Employing network-level access controls or firewall rules to limit access to container registries from unauthorized sources. 5) Considering temporary disabling or limiting the use of Docker registry clients in Keycloak until a fix is applied. Additionally, organizations should review their container registry authentication workflows to ensure that disabling clients effectively revokes access and consider alternative authentication mechanisms if necessary.