Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.8
Keycloak: Disabled Docker Clients Can Still Get Authentication Tokens
CVE-2026-2733
GHSA-fjf4-6f34-w64q
Summary
A security weakness in Keycloak's Docker authentication system allows clients to continue getting authentication tokens even after they've been disabled. This means that administrators can't fully control access to container registry resources. To fix, update to the latest version of Keycloak.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| keycloak | org.keycloak:keycloak-services | <= 26.5.3 | – |
Original title
Keycloak: Missing Check on Disabled Client for Docker Registry Protocol
Original description
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.
nvd CVSS3.1
3.8
Vulnerability type
CWE-285
Improper Authorization
- https://access.redhat.com/errata/RHSA-2026:3947
- https://access.redhat.com/errata/RHSA-2026:3948
- https://access.redhat.com/security/cve/CVE-2026-2733
- https://bugzilla.redhat.com/show_bug.cgi?id=2440895
- https://nvd.nist.gov/vuln/detail/CVE-2026-2733
- https://github.com/keycloak/keycloak/issues/46462
- https://github.com/keycloak/keycloak/commit/743ac24081b2c6da36aac3775147ec5b80c2...
- https://github.com/advisories/GHSA-fjf4-6f34-w64q
Published: 19 Feb 2026 · Updated: 14 Mar 2026 · First seen: 6 Mar 2026