PT-2026-60741 · Red Hat · Red Hat Build Of Keycloak+3
CVE-2026-15943
·
Published
2026-07-17
·
Updated
2026-07-17
CVSS v3.1
5.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing real secret even if security-sensitive fields like the token URL have been changed, allowing an attacker to redirect and capture the secret.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Red Hat Build Of Keycloak
Red Hat Data Grid 8
Red Hat Jboss Enterprise Application Platform Expansion Pack
Red Hat Single Sign-On 7