The vulnerability CVE-2026-4282 affects Red Hat build of Keycloak version 26.2. The issue stems from improper isolation or compartmentalization in the SingleUseObjectProvider, which is a global key-value store used by Keycloak. Due to the lack of proper type and namespace isolation, an unauthenticated attacker can exploit this flaw to forge authorization codes. Successful exploitation can result in the generation of access tokens with administrative privileges, leading to privilege escalation within the system. Red Hat has acknowledged this vulnerability and included a fix in the Keycloak 26.2.15 update. The vulnerability is rated with a CVSS v3.1 score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting network attack vector, high complexity, no privileges or user interaction required, unchanged scope, and high confidentiality and integrity impact without availability impact.

An unauthenticated attacker can exploit this vulnerability to forge authorization codes, which may lead to the creation of admin-capable access tokens. This results in privilege escalation, allowing the attacker to gain administrative access to the Keycloak authentication server. The impact includes high confidentiality and integrity compromise but does not affect availability. There are no known exploits in the wild at the time of this advisory.

Red Hat has released updated packages for Red Hat build of Keycloak version 26.2.15 that address this vulnerability along with other security issues. Users should back up their existing installations, including applications, configuration files, and databases, before applying the update. Applying the official update from Red Hat is the recommended remediation. No alternative mitigations or workarounds are specified in the advisory. Patch status is confirmed by the vendor advisory, and the fix is available.