A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing real secret even if security-sensitive fields like the token URL have been changed, allowing an attacker to redirect and capture the secret.
History

Sat, 18 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 17 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 17 Jul 2026 12:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing real secret even if security-sensitive fields like the token URL have been changed, allowing an attacker to redirect and capture the secret.
Title Keycloak-services: keycloak-services: oidc idp update reuses masked client secret after token url change
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Data Grid
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-1288
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Data Grid
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-07-17T11:49:49.874Z

Updated: 2026-07-17T14:53:16.118Z

Reserved: 2026-07-16T09:20:43.530Z

Link: CVE-2026-15943

cve-icon Vulnrichment

Updated: 2026-07-17T14:53:11.389Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-16T06:27:49Z

Links: CVE-2026-15943 - Bugzilla