CVE-2026-16089 PUBLISHED

Keycloak-services: keycloak-services: authorization codes can be retargeted to another client session

Assigner: redhat
Reserved: 17.07.2026 Published: 17.07.2026 Updated: 17.07.2026

A flaw was found in the keycloak-services component of Red Hat Build of Keycloak. The issue occurs because OAuth 2.0 authorization codes are not properly bound to the client that originally requested them. An attacker who can intercept an authorization code can modify it to be redeemed by their own client, potentially allowing them to obtain access tokens for a victim's identity.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
CVSS Score: 5.4

Product Status

Vendor Red Hat
Product Red Hat Build of Keycloak
Versions Default: affected
Vendor Red Hat
Product Red Hat Build of Keycloak
Versions Default: affected
Vendor Red Hat
Product Red Hat Build of Keycloak
Versions Default: affected
Vendor Red Hat
Product Red Hat Data Grid 8
Versions Default: unaffected
Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform Expansion Pack
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Single Sign-On 7
Versions Default: unaffected

Credits

  • Red Hat would like to thank Paul Bottinelli (Trail of Bits) for reporting this issue.

References