Flaw in Keycloak Keycloak-Services Affects Identity Provider Management
CVE-2026-15943
5.5MEDIUM
What is CVE-2026-15943?
A vulnerability exists in the Keycloak keycloak-services component responsible for managing identity providers. The flaw arises when a delegated administrator attempts to update an OpenID Connect (OIDC) identity provider using a masked client secret. Due to insufficient validation, Keycloak inadvertently reuses the actual client secret, even when crucial security-sensitive fields such as the token URL are altered. This loophole enables an attacker to potentially capture the sensitive secret, jeopardizing the integrity of the identity provider management process.
References
CVSS V3.1
Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Red Hat would like to thank Paul Bottinelli (Trail of Bits) for reporting this issue.