A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.
rhbk/keycloak Red Hat / RHEL
Fixed in: rhel9@sha256:ff313047a67cae72ae7dded6969344541b4e7aa074a80105cd40f42972b69a8b_ppc64le RHSA-2025:15337 Fixed in: rhel9-operator@sha256:c0e92f4dbb5731a00892e9638bab32e7a7071e282d35cd601bfd67be1f3bfab9_ppc64le RHSA-2025:15337 Fixed in: rhel9@sha256:fa4c28db99a6cc4bb8729dceb023ac0c3c5a40e4f4e6d205aa6cd15935357ffb_amd64 RHSA-2025:15337 Fixed in: operator-bundle@sha256:74775c7851ac98ba2903435c71b9d02cc504ca8ee98b65ad7282d671392756a6_amd64 RHSA-2025:15337 Fixed in: rhel9-operator@sha256:46c10d58dadab4be33f0c5a258ddaa1e5d1f52f849eb80d94af56cb5c2383070_amd64 RHSA-2025:15337 Fixed in: rhel9@sha256:303763107515e2186a3201f979cb6953e2fccdc32278bec4700f424cf81536e7_s390x RHSA-2025:15337 Fixed in: rhel9-operator@sha256:ffdae6b06aa17794c81938cab48f4f174fa7dbdfe6ef6b0b37639b72408eb5bd_s390x RHSA-2025:15337 Fixed in: rhel9@sha256:05c1e3aabb19e873e9adbb30014a4886b7038e655e9e80a9ceefe5ed882ab3b2_amd64 RHSA-2025:16400 Fixed in: operator-bundle@sha256:a588a2eed385d29ccaf1f81bd719ca4b4ee85ab7359081706b2e810fd5e2db79_amd64 RHSA-2025:16400 Fixed in: rhel9-operator@sha256:37e61c0daec97796ceb9899a7104a40723ab5fe7c147c7dca928171190d68cde_amd64 RHSA-2025:16400 Fixed in: rhel9@sha256:ffa465c5bd6eb28c790bf48873a01237d8fdc26e0b145443bc04f5fcd8739f9a_s390x RHSA-2025:16400 Fixed in: rhel9-operator@sha256:481dd9a0fabf5afe085f2d5af3b0cbf6a16c28a02dfde8dbbeb1bc406a377087_s390x RHSA-2025:16400 Fixed in: rhel9@sha256:04f5f15f3dc17e4284fb7e80f24c7a360d53286c4fc6df70b4805481442e4628_ppc64le RHSA-2025:16400 Fixed in: rhel9-operator@sha256:d1318bc91903f9374c2403f9845b1ef1b63ca1566a553eb51b7073c1737feeee_ppc64le RHSA-2025:16400 Fixed in: rhel9@sha256:87696bca8b24fd17e5d7df4df1a07bb7ef5a740dbaabe789131439d9f639ef60_arm64 RHSA-2025:16400 Fixed in: rhel9-operator@sha256:8409c7a684aaee2080a718ea1b38d32cad93ae677db831fdaa98caa70e7ca18f_arm64 RHSA-2025:16400 Fixed in: rhel9@sha256:477f32910611a1ddfc2c6cb9308da981b2aba4c98275cc2658a10c711eca6c14_ppc64le RHSA-2025:15338 Fixed in: rhel9-operator@sha256:e0dd6c0eb3f9562b0be5a90e913ff545a6f831738b30d174143ee9638c6548cc_ppc64le RHSA-2025:15338 Fixed in: rhel9@sha256:f145bae08c46626d732f4f9c244b1a83f812830f27be7a0682f3a42dd168ff03_s390x RHSA-2025:15338 Fixed in: rhel9-operator@sha256:0eb95f916e9a5d339f1301104df6b1bbb4905214481ff7b02ae5b77d0499f4d3_s390x RHSA-2025:15338 Fixed in: rhel9@sha256:fc5bc1a7a83016c5c2e13c006aa98cefb1812eb10dfb267aee15368e8540a7aa_arm64 RHSA-2025:15338 Fixed in: rhel9-operator@sha256:f6b8e87369efe5ae0b36ff07b1cd281fff9a334cd0848cd736f6460155fa4dfd_arm64 RHSA-2025:15338 Fixed in: rhel9@sha256:4f24bdc10102842c44b074d7f93d3b8fc9490565de1f2922824a47656e180251_amd64 RHSA-2025:15338 Fixed in: operator-bundle@sha256:fc20177b606cf759baa4d26819d2715ed4a4987debf776516dc6da597cafe0e7_amd64 RHSA-2025:15338 Fixed in: rhel9-operator@sha256:daf94b071e1915aa8319f185900b1b8b070d144539a7e7b9c9fe9383d8277382_amd64 RHSA-2025:15338 rhbk/keycloak Rocky
Fixed in: rhel9@sha256:ff313047a67cae72ae7dded6969344541b4e7aa074a80105cd40f42972b69a8b_ppc64le RHSA-2025:15337 Fixed in: rhel9-operator@sha256:c0e92f4dbb5731a00892e9638bab32e7a7071e282d35cd601bfd67be1f3bfab9_ppc64le RHSA-2025:15337 Fixed in: rhel9@sha256:fa4c28db99a6cc4bb8729dceb023ac0c3c5a40e4f4e6d205aa6cd15935357ffb_amd64 RHSA-2025:15337 Fixed in: operator-bundle@sha256:74775c7851ac98ba2903435c71b9d02cc504ca8ee98b65ad7282d671392756a6_amd64 RHSA-2025:15337 Fixed in: rhel9-operator@sha256:46c10d58dadab4be33f0c5a258ddaa1e5d1f52f849eb80d94af56cb5c2383070_amd64 RHSA-2025:15337 Fixed in: rhel9@sha256:303763107515e2186a3201f979cb6953e2fccdc32278bec4700f424cf81536e7_s390x RHSA-2025:15337 Fixed in: rhel9-operator@sha256:ffdae6b06aa17794c81938cab48f4f174fa7dbdfe6ef6b0b37639b72408eb5bd_s390x RHSA-2025:15337 Fixed in: rhel9@sha256:05c1e3aabb19e873e9adbb30014a4886b7038e655e9e80a9ceefe5ed882ab3b2_amd64 RHSA-2025:16400 Fixed in: operator-bundle@sha256:a588a2eed385d29ccaf1f81bd719ca4b4ee85ab7359081706b2e810fd5e2db79_amd64 RHSA-2025:16400 Fixed in: rhel9-operator@sha256:37e61c0daec97796ceb9899a7104a40723ab5fe7c147c7dca928171190d68cde_amd64 RHSA-2025:16400 Fixed in: rhel9@sha256:ffa465c5bd6eb28c790bf48873a01237d8fdc26e0b145443bc04f5fcd8739f9a_s390x RHSA-2025:16400 Fixed in: rhel9-operator@sha256:481dd9a0fabf5afe085f2d5af3b0cbf6a16c28a02dfde8dbbeb1bc406a377087_s390x RHSA-2025:16400 Fixed in: rhel9@sha256:04f5f15f3dc17e4284fb7e80f24c7a360d53286c4fc6df70b4805481442e4628_ppc64le RHSA-2025:16400 Fixed in: rhel9-operator@sha256:d1318bc91903f9374c2403f9845b1ef1b63ca1566a553eb51b7073c1737feeee_ppc64le RHSA-2025:16400 Fixed in: rhel9@sha256:87696bca8b24fd17e5d7df4df1a07bb7ef5a740dbaabe789131439d9f639ef60_arm64 RHSA-2025:16400 Fixed in: rhel9-operator@sha256:8409c7a684aaee2080a718ea1b38d32cad93ae677db831fdaa98caa70e7ca18f_arm64 RHSA-2025:16400 Fixed in: rhel9@sha256:477f32910611a1ddfc2c6cb9308da981b2aba4c98275cc2658a10c711eca6c14_ppc64le RHSA-2025:15338 Fixed in: rhel9-operator@sha256:e0dd6c0eb3f9562b0be5a90e913ff545a6f831738b30d174143ee9638c6548cc_ppc64le RHSA-2025:15338 Fixed in: rhel9@sha256:f145bae08c46626d732f4f9c244b1a83f812830f27be7a0682f3a42dd168ff03_s390x RHSA-2025:15338 Fixed in: rhel9-operator@sha256:0eb95f916e9a5d339f1301104df6b1bbb4905214481ff7b02ae5b77d0499f4d3_s390x RHSA-2025:15338 Fixed in: rhel9@sha256:fc5bc1a7a83016c5c2e13c006aa98cefb1812eb10dfb267aee15368e8540a7aa_arm64 RHSA-2025:15338 Fixed in: rhel9-operator@sha256:f6b8e87369efe5ae0b36ff07b1cd281fff9a334cd0848cd736f6460155fa4dfd_arm64 RHSA-2025:15338 Fixed in: rhel9@sha256:4f24bdc10102842c44b074d7f93d3b8fc9490565de1f2922824a47656e180251_amd64 RHSA-2025:15338 Fixed in: operator-bundle@sha256:fc20177b606cf759baa4d26819d2715ed4a4987debf776516dc6da597cafe0e7_amd64 RHSA-2025:15338 Fixed in: rhel9-operator@sha256:daf94b071e1915aa8319f185900b1b8b070d144539a7e7b9c9fe9383d8277382_amd64 RHSA-2025:15338 Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.
Exploitability
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Unchanged
Impact
Confidentiality High
Integrity None
Availability None
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
0.46% probability of exploitation in 30 days
37th percentile
Low risk: more likely to be exploited than 37% of all known CVEs.
Embed a live status badge for CVE-2025-9162 Markdown
[](https://tridentstack.com/cve/CVE-2025-9162)HTML
<a href="https://tridentstack.com/cve/CVE-2025-9162"><img src="https://tridentstack.com/cve/badge/CVE-2025-9162.svg" alt="CVE-2025-9162"></a>Find and fix vulnerabilities across your fleet TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start free This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-09-22.