CVE-2026-16104 in Build of Keycloakinfo

Summary

by MITRE • 07/17/2026

A flaw was found in the authentication configuration endpoint of the keycloak-services component, which is the core engine for Red Hat Build of Keycloak identity and access management. The issue occurs because the system fails to mask sensitive configuration values, such as reCAPTCHA secret keys, when they are requested by administrators with view-only permissions. This can lead to the exposure of third-party service credentials to unauthorized personnel or through administrative logs.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/17/2026

This vulnerability resides within the keycloak-services component of Red Hat Build of Keycloak, representing a critical misconfiguration in the identity and access management system that directly impacts credential security. The flaw manifests specifically in the authentication configuration endpoint where sensitive values are not properly masked during retrieval operations. When administrators with view-only permissions request configuration data through this endpoint, the system fails to sanitize or obscure sensitive parameters including reCAPTCHA secret keys and other third-party service credentials. This represents a direct violation of information protection principles and creates an attack surface that could be exploited by malicious actors seeking to compromise authentication systems.

The technical implementation flaw stems from inadequate input sanitization and output filtering within the configuration retrieval mechanism. When configuration values are accessed programmatically through the authentication endpoint, the system does not apply proper masking protocols that would normally obscure sensitive data fields. This vulnerability maps directly to CWE-200 Information Exposure and CWE-312 Cleartext Storage of Sensitive Information, as it exposes confidential credentials in plain text format during routine administrative operations. The flaw extends beyond simple logging issues to represent a fundamental breakdown in privilege-based access control enforcement where view-only permissions do not properly restrict data visibility.

The operational impact of this vulnerability extends far beyond immediate credential exposure, creating cascading security risks throughout the identity management infrastructure. Administrative logs that capture configuration requests may inadvertently store complete credential information, providing attackers with persistent access vectors even after initial compromise attempts. Third-party service credentials exposed through this vulnerability could enable attackers to bypass authentication mechanisms, manipulate reCAPTCHA systems, or gain unauthorized access to services that depend on these keys for verification. This vulnerability aligns with ATT&CK technique T1566 Credential Access through Phishing and T1078 Valid Accounts, as compromised credentials could facilitate further lateral movement within the network.

Organizations utilizing Red Hat Build of Keycloak must implement immediate mitigations including configuration updates to enforce proper credential masking across all administrative endpoints. The system should be configured to automatically mask sensitive values regardless of user permissions, ensuring that even view-only administrators cannot access unobfuscated credentials through normal operations. Additionally, comprehensive logging reviews are required to identify and purge any previously exposed credential information from administrative logs. Network-level monitoring should be enhanced to detect unusual patterns in configuration endpoint access that might indicate unauthorized attempts to extract sensitive data. Regular security assessments of identity management systems should include verification that all sensitive configuration values are properly masked during retrieval operations to prevent similar vulnerabilities from emerging in other components of the authentication infrastructure.

Responsible

Redhat

Reservation

07/17/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Interested in the pricing of exploits?

See the underground prices here!