Description
A flaw was found in the authentication configuration endpoint of the keycloak-services component, which is the core engine for Red Hat Build of Keycloak identity and access management. The issue occurs because the system fails to mask sensitive configuration values, such as reCAPTCHA secret keys, when they are requested by administrators with view-only permissions. This can lead to the exposure of third-party service credentials to unauthorized personnel or through administrative logs.
No analysis available yet.
Remediation
Vendor Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Fri, 17 Jul 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in the authentication configuration endpoint of the keycloak-services component, which is the core engine for Red Hat Build of Keycloak identity and access management. The issue occurs because the system fails to mask sensitive configuration values, such as reCAPTCHA secret keys, when they are requested by administrators with view-only permissions. This can lead to the exposure of third-party service credentials to unauthorized personnel or through administrative logs. | |
| Title | Keycloak-services: keycloak-services: authenticator config endpoint exposes raw recaptcha secrets to view-only admins | |
| First Time appeared |
Redhat
Redhat build Keycloak Redhat jboss Data Grid Redhat jbosseapxp Redhat red Hat Single Sign On |
|
| CPEs | cpe:/a:redhat:build_keycloak: cpe:/a:redhat:jboss_data_grid:8 cpe:/a:redhat:jbosseapxp cpe:/a:redhat:red_hat_single_sign_on:7 |
|
| Vendors & Products |
Redhat
Redhat build Keycloak Redhat jboss Data Grid Redhat jbosseapxp Redhat red Hat Single Sign On |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2026-07-17T17:24:34.155Z
Reserved: 2026-07-17T14:48:32.086Z
Link: CVE-2026-16104
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.