CVE-2026-15943
Received Received - Intake

Keycloak Identity Provider Secret Reuse Vulnerability

Vulnerability report for CVE-2026-15943, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Red Hat, Inc.

Description

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing real secret even if security-sensitive fields like the token URL have been changed, allowing an attacker to redirect and capture the secret.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
keycloak keycloak-services *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1288 The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Keycloak's admin API where a masked client secret sentinel value bypasses proper validation. When updating an OIDC identity provider, if security-sensitive fields like token URL are changed but the client secret is set to a masked sentinel, Keycloak reuses the existing real secret. This allows an attacker to redirect the secret to a malicious endpoint and capture it.

Detection Guidance

Check Keycloak admin API logs for PUT requests to identity provider endpoints where clientSecret is set to the masked sentinel value (ComponentRepresentation.SECRET_VALUE) while other sensitive fields like tokenUrl are modified. Monitor for unexpected changes to tokenUrl, clientId, or clientAuthMethod in IdP configurations.

Impact Analysis

An attacker with delegated administrator privileges could exploit this to capture sensitive client secrets by redirecting authentication traffic to their own server. This could lead to unauthorized access to protected resources or data breaches if the secrets are used for authentication.

Compliance Impact

This vulnerability could lead to unauthorized access to personal or sensitive data, violating GDPR's data protection principles or HIPAA's security requirements. Organizations using Keycloak for identity management may face compliance violations if such breaches occur.

Mitigation Strategies

Apply the latest Keycloak security patch immediately. Review all OIDC identity provider configurations for unauthorized changes to tokenUrl, clientId, or clientAuthMethod. Restrict delegated administrator permissions to only necessary roles.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15943. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart