Vulnerability Description
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources.
CVSS Score
LOW
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2026:3947
- https://access.redhat.com/errata/RHSA-2026:3948
- https://access.redhat.com/security/cve/CVE-2026-2733
- https://bugzilla.redhat.com/show_bug.cgi?id=2440895
FAQ
What is CVE-2026-2733?
CVE-2026-2733 is a vulnerability with a CVSS score of 3.8 (LOW). A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that t...
How severe is CVE-2026-2733?
CVE-2026-2733 has been rated LOW with a CVSS base score of 3.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-2733?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.