Red Hat Product Errata RHSA-2026:6478 - Security Advisory
Issued:
2026-04-02
Updated:
2026-04-02

RHSA-2026:6478 - Security Advisory

Synopsis

Important: Red Hat build of Keycloak 26.4.11 Images Update

Type/Severity

Security Advisory: Important

Topic

New images are available for Red Hat build of Keycloak 26.4.11 and Red Hat build of Keycloak 26.4.11 Operator, running on OpenShift Container Platform

Description

Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.
Red Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.4.11 clusters.

This erratum releases new images for Red Hat build of Keycloak 26.4.11 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.

Security fixes:

  • Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure (CVE-2025-14082)
  • Improper Access Control in Admin REST API leads to information disclosure (CVE-2025-14083)
  • keycloak-rhel9-operator: Keycloak IDOR in realm client creating/deleting (CVE-2025-14777)
  • Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition (CVE-2026-1035)
  • Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri (CVE-2026-1180)
  • Information Disclosure via improper role enforcement in UMA 2.0 Protection API (CVE-2026-3190)
  • Privilege escalation via manage-clients permission (CVE-2026-3121)
  • Information disclosure due to redirect_uri validation bypass (CVE-2026-3872)
  • Information disclosure of disabled user attributes via administrative endpoint (CVE-2026-3911)
  • Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API (CVE-2026-3429)
  • Information disclosure via authorization bypass in Admin API (CVE-2026-2366)
  • Replay of action tokens via improper handling of single-use entries (CVE-2026-4325)
  • UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources (CVE-2026-4636)
  • Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw (CVE-2026-4282)
  • Denial of Service via excessive processing of OpenID Connect scope parameters (CVE-2026-4634)

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Affected Products

  • Red Hat build of Keycloak Text-only Advisories x86_64

Fixes

(none)

aarch64

rhbk/keycloak-rhel9@sha256:c1c1cb36f70ca142a789b359f9a120d321f58adc44e2c97a49c2d6f270d15bd9
rhbk/keycloak-rhel9-operator@sha256:c68d195c2d19568d9789648ef347a3388da453c83120d696453333c34a564347

ppc64le

rhbk/keycloak-rhel9@sha256:a4cb583985eb220ad05b1983a98a5a50e2b76c15e6f56152045591e3994f37d1
rhbk/keycloak-rhel9-operator@sha256:715a5c6cc9061fc0305370a33f5b69a96ba7bfdb23b706a567b489fc05b05e06

s390x

rhbk/keycloak-rhel9@sha256:33fc8c6edb3c5c2df302ea53a89454320e08ff4660ba84d0a78f6c67178dfb16
rhbk/keycloak-rhel9-operator@sha256:0d90a1c28652b5f73ea90f78968548178cf710121fcb13774a467aeb9c30ab09

x86_64

rhbk/keycloak-operator-bundle@sha256:7fb041b0e2b43954c3a83b58fd885b1cdc5bb32275e06c4c72955da5b78255c3
rhbk/keycloak-rhel9@sha256:dc54248ad9357fbd737e6983e6d8d0c7e845e39ed6558bd7c39f7a7573459489
rhbk/keycloak-rhel9-operator@sha256:1a7ac3c798d83cc37dd750ed44223630f4ebff937534a59a9e9ad029dbf31a0f

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.