A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing real secret even if security-sensitive fields like the token URL have been changed, allowing an attacker to redirect and capture the secret.

Project Subscriptions

Vendors Products
Build Keycloak Subscribe
Jboss Data Grid Subscribe
Jbosseapxp Subscribe
Red Hat Single Sign On Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 17 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 17 Jul 2026 12:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing real secret even if security-sensitive fields like the token URL have been changed, allowing an attacker to redirect and capture the secret.
Title Keycloak-services: keycloak-services: oidc idp update reuses masked client secret after token url change
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Data Grid
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-1288
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Data Grid
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-17T14:53:16.118Z

Reserved: 2026-07-16T09:20:43.530Z

Link: CVE-2026-15943

cve-icon Vulnrichment

Updated: 2026-07-17T14:53:11.389Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses