Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.

Affected Packages

Maven org.keycloak:keycloak-services

Affected versions: 0 (fixed in 26.2.8)

Maven org.keycloak:keycloak-services

Affected versions: 26.3.0 (fixed in 26.3.3)

Related CVEs

CVE-2025-8419

Key Information

GHSA ID

GHSA-m4j5-5x4r-2xp9

Published

September 17, 2025 8:24 PM

Last Modified

September 17, 2025 8:24 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.keycloak:keycloak-services

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 18, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.