Back to overview

CVE-2026-16089

MEDIUM
5.4
CVSS 3.1
Description
A flaw was found in the keycloak-services component of Red Hat Build of Keycloak. The issue occurs because OAuth 2.0 authorization codes are not properly bound to the client that originally requested them. An attacker who can intercept an authorization code can modify it to be redeemed by their own client, potentially allowing them to obtain access tokens for a victim's identity.

Metadata

CVE ID
CVE-2026-16089
State
PUBLISHED
Assigner
redhat
Reserved
2026-07-17 14:00 UTC
Published
2026-07-17 14:15 UTC
Last updated
2026-07-17 14:15 UTC
Vendor / Product
Red Hat / Red Hat Build of Keycloak
Sources
cve.org  ·  NVD

Severity & Metrics

5.4 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Affected products (6)
VendorProductPlatformVersions
Red Hat Red Hat Build of Keycloak
Red Hat Red Hat Build of Keycloak
Red Hat Red Hat Build of Keycloak
Red Hat Red Hat Data Grid 8
Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack
Red Hat Red Hat Single Sign-On 7
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.4 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Back to overview