PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-16089 Red Hat CVE debrief

A flaw was found in the keycloak-services component of Red Hat Build of Keycloak. The issue occurs because OAuth 2.0 authorization codes are not properly bound to the client that originally requested them. An attacker who can intercept an authorization code can modify it to be redeemed by their own client, potentially allowing them to obtain access tokens for a victim's identity. This vulnerability has significant implications for users of Red Hat Build of Keycloak, particularly in terms of authentication and authorization.

Vendor
Red Hat
Product
Red Hat Build of Keycloak
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

This vulnerability affects users of Red Hat Build of Keycloak, particularly those responsible for authentication and authorization. If you are using this product, you should take steps to verify your inventory and apply patches or mitigations as necessary. Operators, platform administrators, and security teams should review their systems and implement defensive measures to prevent exploitation.

Technical summary

The vulnerability has a CVSS score of 5.4 and a severity of MEDIUM. It is related to the keycloak-services component of Red Hat Build of Keycloak. The issue is caused by OAuth 2.0 authorization codes not being properly bound to the client that originally requested them, which could allow attackers to intercept and modify authorization codes to obtain access tokens for a victim's identity. This vulnerability affects users of Red Hat Build of Keycloak, particularly those using OAuth 2.0 for authentication.

Defensive priority

Medium priority due to the potential for attackers to obtain access tokens for a victim's identity. Defenders should prioritize patching and mitigation efforts based on their specific risk profile and exposure to this vulnerability.

Recommended defensive actions

  • Verify your inventory of Red Hat Build of Keycloak instances
  • Apply patches or mitigations as necessary
  • Monitor for suspicious activity related to OAuth 2.0 authorization codes
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-17T15:16:46.317Z and has not been modified since. The NVD entry is currently being reviewed. Evidence is limited to public sources and may not reflect the full scope of affected systems. Defenders should verify their inventory and apply patches or mitigations as necessary. The issue occurs because OAuth 2.0 authorization codes are not properly bound to the client that originally requested them, potentially allowing attackers to obtain access tokens for a victim's identity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T15:16:46.317Z and has not been modified since.