PatchSiren cyber security CVE debrief
CVE-2026-15943 Red Hat CVE debrief
A flaw was found in the Keycloak keycloak-services component, which handles identity provider management. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing real secret even if security-sensitive fields like the token URL have been changed, allowing an attacker to redirect and capture the secret. This highlights the importance of proper validation and secret management in identity provider configurations.
- Vendor
- Red Hat
- Product
- Red Hat Build of Keycloak
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of Keycloak keycloak-services component should verify their configurations, update to a fixed version if available, and monitor for suspicious activity. This includes administrators responsible for identity provider management, security teams, and operators of Keycloak deployments. They should review the CVE record and vendor guidance for affected scope and severity.
Technical summary
The Keycloak keycloak-services component handles identity provider management. A delegated administrator can update an OIDC identity provider using a masked client secret sentinel value. However, due to improper validation, Keycloak reuses the existing real secret even if security-sensitive fields like the token URL have been changed. This allows an attacker to redirect and capture the secret, emphasizing the need for proper validation and secret management in Keycloak configurations.
Defensive priority
Medium priority due to CVSS score of 5.5 and potential for secret capture.
Recommended defensive actions
- Verify Keycloak keycloak-services component configurations
- Update to a fixed version if available
- Monitor for suspicious activity
- Implement compensating controls for secret management
- Review vendor guidance for affected scope and severity
- Conduct exposure review for Keycloak deployments
- Track exceptions and retest remediated assets
Evidence notes
Evidence is limited. Primary official records indicate a flaw in Keycloak keycloak-services component. Vendor remediation and compensating controls are recommended. The issue involves improper validation of security-sensitive fields when updating an OIDC identity provider, allowing potential secret capture. Defenders should verify configurations, monitor for suspicious activity, and implement additional security measures.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T12:17:03.313Z and has not been modified since then.