CVE-2025-9162

MEDIUM

KeycloakRealmImport - Code Injection

Title source: llm
STIX 2.1

Description

A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.

References (8)

Core 8
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:15336
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:15337
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:15338
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:15339
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:16399
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:16400
Vendor Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2025-9162
Issue Tracking issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2389396

Scores

CVSS v3 4.9
EPSS 0.0004
EPSS Percentile 11.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-526
Status published
Products (12)
Keycloak/keycloak < 26.3.4
org.keycloak/keycloak-model-storage-services 0Maven
Red Hat/Red Hat build of Keycloak 26.0
Red Hat/Red Hat build of Keycloak 26.0 26.0-18
Red Hat/Red Hat build of Keycloak 26.0 26.0-19
Red Hat/Red Hat build of Keycloak 26.0 26.0.15-1
Red Hat/Red Hat build of Keycloak 26.2
Red Hat/Red Hat build of Keycloak 26.2 26.2-8
Red Hat/Red Hat build of Keycloak 26.2 26.2-9
Red Hat/Red Hat build of Keycloak 26.2 26.2.8-1
... and 2 more
Published Aug 21, 2025
Tracked Since Feb 18, 2026