Flaw in Keycloak Keycloak-Services Affects Identity Provider Management
CVE-2026-15943

5.5MEDIUM

What is CVE-2026-15943?

A vulnerability exists in the Keycloak keycloak-services component responsible for managing identity providers. The flaw arises when a delegated administrator attempts to update an OpenID Connect (OIDC) identity provider using a masked client secret. Due to insufficient validation, Keycloak inadvertently reuses the actual client secret, even when crucial security-sensitive fields such as the token URL are altered. This loophole enables an attacker to potentially capture the sensitive secret, jeopardizing the integrity of the identity provider management process.

References

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Paul Bottinelli (Trail of Bits) for reporting this issue.
.