PT-2026-60741 · Red Hat · Red Hat Build Of Keycloak+3

CVE-2026-15943

·

Published

2026-07-17

·

Updated

2026-07-17

CVSS v3.1

5.5

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing real secret even if security-sensitive fields like the token URL have been changed, allowing an attacker to redirect and capture the secret.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15943

Affected Products

Red Hat Build Of Keycloak
Red Hat Data Grid 8
Red Hat Jboss Enterprise Application Platform Expansion Pack
Red Hat Single Sign-On 7