CVE-2026-15943 PUBLISHED

Keycloak-services: keycloak-services: oidc idp update reuses masked client secret after token url change

Assigner: redhat
Reserved: 16.07.2026 Published: 17.07.2026 Updated: 17.07.2026

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing real secret even if security-sensitive fields like the token URL have been changed, allowing an attacker to redirect and capture the secret.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
CVSS Score: 5.5

Product Status

Vendor Red Hat
Product Red Hat Build of Keycloak
Versions Default: affected
Vendor Red Hat
Product Red Hat Build of Keycloak
Versions Default: affected
Vendor Red Hat
Product Red Hat Build of Keycloak
Versions Default: affected
Vendor Red Hat
Product Red Hat Data Grid 8
Versions Default: unaffected
Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform Expansion Pack
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Single Sign-On 7
Versions Default: unaffected

Credits

  • Red Hat would like to thank Paul Bottinelli (Trail of Bits) for reporting this issue.

References

Problem Types

  • Improper Validation of Consistency within Input CWE