PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-16104 Red Hat CVE debrief

A flaw was found in the authentication configuration endpoint of the keycloak-services component, which is the core engine for Red Hat Build of Keycloak identity and access management. The system fails to mask sensitive configuration values, such as reCAPTCHA secret keys, when requested by administrators with view-only permissions. This can lead to the exposure of third-party service credentials to unauthorized personnel or through administrative logs. The vulnerability has a CVSS score of 4.3 and a severity of MEDIUM.

Vendor
Red Hat
Product
Red Hat Build of Keycloak
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Administrators and users of Red Hat Build of Keycloak identity and access management systems should be aware of this vulnerability. They should review and update the Keycloak configuration to ensure sensitive values are properly masked and limit access to the authentication configuration endpoint to only those who require it. Security teams and vulnerability management teams should also be aware of the potential exposure of sensitive credentials.

Technical summary

The keycloak-services component, which is the core engine for Red Hat Build of Keycloak identity and access management, has a flaw in its authentication configuration endpoint. When administrators with view-only permissions request sensitive configuration values, such as reCAPTCHA secret keys, the system fails to mask these values. This can lead to the exposure of third-party service credentials to unauthorized personnel or through administrative logs. The vulnerability has a CVSS score of 4.3 and a severity of MEDIUM.

Defensive priority

Medium priority due to the potential exposure of sensitive credentials.

Recommended defensive actions

  • Review and update the Keycloak configuration to ensure sensitive values are properly masked.
  • Limit access to the authentication configuration endpoint to only those who require it.
  • Monitor administrative logs for potential exposure of sensitive credentials.
  • Consider implementing additional security measures, such as encryption, for sensitive configuration values.
  • Perform a thorough review of the affected system to identify potential exposure.
  • Track exceptions and retest remediated assets to ensure the vulnerability is properly mitigated.
  • Verify that the vendor's guidance is followed for patching and mitigation.

Evidence notes

The CVE record was published on 2026-07-17T17:17:14.393Z and has not been modified since then. The NVD entry is currently Awaiting Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The authentication configuration endpoint flaw in keycloak-services may expose sensitive credentials, requiring careful review of administrative logs and configuration values.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:14.393Z and has not been modified since then.