Issued:

2026-04-02

Updated:

2026-04-02

RHSA-2026:6475 - Important: Red Hat build of Keycloak 26.2.15 Update

Synopsis

Important: Red Hat build of Keycloak 26.2.15 Update

Type/Severity

Security Advisory Important

Topic

New Red Hat build of Keycloak 26.2.15 packages are available from the Customer Portal

Description

Red Hat build of Keycloak 26.2.15 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.

Security fixes:

• Information disclosure due to redirect_uri validation bypass (CVE-2026-3872)
• Replay of action tokens via improper handling of single-use entries (CVE-2026-4325)
• UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources ( CVE-2026-4636)
• Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw (CVE-2026-4282)
• Denial of Service via excessive processing of OpenID Connect scope parameters (CVE-2026-4634)

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Affected Products

Fixes

(none)

CVEs

• CVE-2026-3872
• CVE-2026-4282
• CVE-2026-4325
• CVE-2026-4634
• CVE-2026-4636

References

• https://access.redhat.com/security/updates/classification/#important

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.