CVE-2026-16089
Received Received - Intake

Authorization Code Theft in Red Hat Build of Keycloak

Vulnerability report for CVE-2026-16089, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Red Hat, Inc.

Description

A flaw was found in the keycloak-services component of Red Hat Build of Keycloak. The issue occurs because OAuth 2.0 authorization codes are not properly bound to the client that originally requested them. An attacker who can intercept an authorization code can modify it to be redeemed by their own client, potentially allowing them to obtain access tokens for a victim's identity.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
red_hat keycloak_services *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves OAuth 2.0 authorization codes in Red Hat Build of Keycloak not being properly bound to the original requesting client. An attacker can intercept an authorization code and modify it to be redeemed by their own client, allowing them to obtain access tokens for a victim's identity.

Detection Guidance

Monitor Keycloak token endpoint logs for unusual authorization code redemption attempts. Check for mismatches between the client ID in the authorization code and the client ID used during token redemption. Look for multiple redemption attempts of the same authorization code from different client sessions.

Impact Analysis

An attacker could impersonate you to an attacker-controlled client and access your data exposed to that client. This requires the attacker to register a client, establish an SSO session with you, and intercept an authorization code.

Compliance Impact

This vulnerability could lead to unauthorized access to user data, potentially violating GDPR's data protection principles and HIPAA's access controls. If exploited, it may result in unauthorized disclosure of personal or health information, undermining compliance with these regulations.

Mitigation Strategies

Update Keycloak to the latest patched version immediately. Review and restrict client registrations in the same realm. Monitor for suspicious token redemption activities. Consider disabling OAuth 2.0 authorization code flow temporarily if an update is not immediately available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16089. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart