Authorization Code Exposure in Red Hat Build of Keycloak
CVE-2026-16089
5.4MEDIUM
What is CVE-2026-16089?
A vulnerability has been identified in the keycloak-services component of Red Hat's Build of Keycloak, where OAuth 2.0 authorization codes are inadequately linked to the originating client. This flaw allows an attacker, who successfully intercepts an authorization code, to alter it and redeem it using their own client. This manipulation could lead to unauthorized access tokens being issued, resulting in potential identity compromise of the affected user.
References
CVSS V3.1
Score:
5.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Red Hat would like to thank Paul Bottinelli (Trail of Bits) for reporting this issue.