CVE-2026-16104
Received Received - Intake

Authentication Bypass in Red Hat Build of Keycloak

Vulnerability report for CVE-2026-16104, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Red Hat, Inc.

Description

A flaw was found in the authentication configuration endpoint of the keycloak-services component, which is the core engine for Red Hat Build of Keycloak identity and access management. The issue occurs because the system fails to mask sensitive configuration values, such as reCAPTCHA secret keys, when they are requested by administrators with view-only permissions. This can lead to the exposure of third-party service credentials to unauthorized personnel or through administrative logs.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
red_hat keycloak From 2026-07-17 (inc)
red_hat keycloak *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-16104 is an Information Exposure vulnerability in Keycloak's authenticator configuration endpoint. The flaw occurs because sensitive configuration values, such as reCAPTCHA secret keys, are not masked when requested by administrators with view-only permissions. This allows unauthorized personnel or logs to access these credentials.

Detection Guidance

Check Keycloak admin logs for exposed secrets in GET /admin/realms/{realm}/authentication/config/{id} responses. Review configuration endpoints for unmasked reCAPTCHA secrets or api.keys.

Impact Analysis

An attacker with view-realm role access could retrieve raw secret values like reCAPTCHA keys. These exposed secrets could be used to bypass bot-detection mechanisms, potentially allowing unauthorized access or actions within the affected realm.

Compliance Impact

This vulnerability could lead to non-compliance with GDPR and HIPAA due to the exposure of sensitive credentials like reCAPTCHA secrets. Unauthorized access to such data may violate confidentiality requirements under these regulations, particularly if personal or protected health information is involved.

Mitigation Strategies

Upgrade Keycloak to the latest patched version. Restrict view-realm role permissions. Audit admin logs for exposed secrets and rotate any compromised credentials immediately.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16104. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart