CVE-2026-15943
MEDIUM
NVD
CVSS Score
5.5
Severity
MEDIUM
Published
Jul 17, 2026
Vendor
unknown
Description
A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing real secret even if security-sensitive fields like the token URL have been changed, allowing an attacker to redirect and capture the secret.