CVE-2025-8419

Medium CVSS: 5.3

A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.

Vendor

Redhat

Product

Keycloak

CWE

CWE-93

Yayın Tarihi

2025-08-06 17:15:38

Güncelleme

2026-01-08 04:15:56

Source Identifier

secalert@redhat.com

KEV Date Added

Kategoriler

CWE-93 Keycloak MEDIUM Redhat 2025

Referanslar

https://access.redhat.com/errata/RHSA-2025:15336 https://access.redhat.com/errata/RHSA-2025:15337 https://access.redhat.com/errata/RHSA-2025:15338 https://access.redhat.com/errata/RHSA-2025:15339 https://access.redhat.com/security/cve/CVE-2025-8419 https://bugzilla.redhat.com/show_bug.cgi?id=2385776

Benzer Kayıtlar

High

CVE-2026-28369

A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more…

High

CVE-2026-28368

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where…

Medium

CVE-2026-3121

A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where thi…

Medium

CVE-2026-3190

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to…

Low

CVE-2026-4874

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating t…

Low

CVE-2026-4633

A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login…