allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.
Metrics
Affected Vendors & Products
Solution
No solution given by the vendor.
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Mon, 22 Sep 2025 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Mon, 22 Sep 2025 15:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Thu, 04 Sep 2025 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:/a:redhat:build_keycloak:26.0 cpe:/a:redhat:build_keycloak:26.0::el9 cpe:/a:redhat:build_keycloak:26.2 cpe:/a:redhat:build_keycloak:26.2::el9 |
|
References |
|
Thu, 21 Aug 2025 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Thu, 21 Aug 2025 15:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | No description is available for this CVE. | A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment. |
Title | org.keycloak/keycloak-model-storage-service: Variable injection into environment variables | Org.keycloak/keycloak-model-storage-service: variable injection into environment variables |
First Time appeared |
Redhat
Redhat build Keycloak |
|
CPEs | cpe:/a:redhat:build_keycloak: | |
Vendors & Products |
Redhat
Redhat build Keycloak |
|
References |
|
Wed, 20 Aug 2025 00:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | No description is available for this CVE. | |
Title | org.keycloak/keycloak-model-storage-service: Variable injection into environment variables | |
Weaknesses | CWE-526 | |
References |
| |
Metrics |
threat_severity
|
cvssV3_1
|

Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2025-09-22T16:03:47.359Z
Reserved: 2025-08-19T13:11:49.675Z
Link: CVE-2025-9162

Updated: 2025-08-21T19:59:14.033Z

Status : Awaiting Analysis
Published: 2025-08-21T16:15:35.067
Modified: 2025-09-22T16:15:46.420
Link: CVE-2025-9162


No data.