Authentication Configuration Flaw in Red Hat Build of Keycloak
CVE-2026-16104

4.3MEDIUM

What is CVE-2026-16104?

A flaw exists in the authentication configuration endpoint of the core component of Red Hat Build of Keycloak, potentially leading to the exposure of sensitive configuration details. This issue arises when the system does not adequately mask critical configuration values, including reCAPTCHA secret keys, visible to administrators with only view permissions. Such exposure could allow unauthorized individuals to access third-party service credentials, presenting significant security risks through administrative logs.

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Paul Bottinelli (Trail of Bits) for reporting this issue.
.