CVE-2025-9162

EPSS 0.05%
Published 21.08.2025 15:40:25
Last modified 22.09.2025 16:15:46
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process
allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.

Affected products Warnungen 0 Metrics 2 CWE 1 References 11

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorRed Hat

≫

Product Red Hat build of Keycloak 26.0

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat build of Keycloak 26.0

Default Statusaffected

Version < *

Version 26.0.15-1

Status unaffected

VendorRed Hat

≫

Product Red Hat build of Keycloak 26.0

Default Statusaffected

Version < *

Version 26.0-18

Status unaffected

VendorRed Hat

≫

Product Red Hat build of Keycloak 26.0

Default Statusaffected

Version < *

Version 26.0-19

Status unaffected

VendorRed Hat

≫

Product Red Hat build of Keycloak 26.2

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat build of Keycloak 26.2

Default Statusaffected

Version < *

Version 26.2.8-1

Status unaffected

VendorRed Hat

≫

Product Red Hat build of Keycloak 26.2

Default Statusaffected

Version < *

Version 26.2-8

Status unaffected

VendorRed Hat

≫

Product Red Hat build of Keycloak 26.2

Default Statusaffected

Version < *

Version 26.2-8

Status unaffected

VendorRed Hat

≫

Product Red Hat build of Keycloak 26.2

Default Statusaffected

Version < *

Version 26.2.9-1

Status unaffected

VendorRed Hat

≫

Product Red Hat build of Keycloak 26.2

Default Statusaffected

Version < *

Version 26.2-9

Status unaffected

VendorRed Hat

≫

Product Red Hat build of Keycloak 26.2

Default Statusaffected

Version < *

Version 26.2-9

Status unaffected

VendorRed Hat

≫

Product Red Hat build of Keycloak 26.2.9

Default Statusunaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.133

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
secalert@redhat.com	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE-526 Cleartext Storage of Sensitive Information in an Environment Variable

The product uses an environment variable to store unencrypted sensitive information.

https://access.redhat.com/security/cve/CVE-2025-9162

https://bugzilla.redhat.com/show_bug.cgi?id=2389396

https://access.redhat.com/errata/RHSA-2025:15336

https://access.redhat.com/errata/RHSA-2025:15337

https://access.redhat.com/errata/RHSA-2025:15338

https://access.redhat.com/errata/RHSA-2025:15339

https://access.redhat.com/errata/RHSA-2025:16399

https://access.redhat.com/errata/RHSA-2025:16400

https://nvd.nist.gov/vuln/detail/CVE-2025-9162

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-9162

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-9162

EUVD