CVE-2026-15943
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
17/07/2026
Last modified:
17/07/2026
Description
A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing real secret even if security-sensitive fields like the token URL have been changed, allowing an attacker to redirect and capture the secret.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM



