CVE-2026-2733

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw exists in the Docker v2 authentication endpoint of Keycloak where authentication tokens remain valid even after a Docker registry client has been administratively disabled. Specifically, toggling the client’s “Enabled” setting to OFF does not completely block access. Consequently, previously valid credentials can still be used to obtain authentication tokens, potentially weakening administrative controls and allowing unintended access to container registry resources.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.