{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/keycloak/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Keycloak"],"_cs_severities":["medium"],"_cs_tags":["keycloak","email","vulnerability","spoofing"],"_cs_type":"advisory","_cs_vendors":["Keycloak"],"content_html":"\u003cp\u003eA vulnerability exists within Keycloak that allows an unauthenticated, remote attacker to send arbitrary emails. The BSI advisory (WID-SEC-2025-1870) highlights the potential for exploitation. This vulnerability is significant because it enables attackers to leverage Keycloak\u0026rsquo;s email functionality for malicious purposes, such as sending phishing emails, distributing malware, or conducting social engineering attacks against users of systems integrated with Keycloak. Successful exploitation could damage trust in the platform and compromise user accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Keycloak instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious request exploiting the email sending vulnerability.\u003c/li\u003e\n\u003cli\u003eThe malicious request bypasses authentication and authorization checks related to email functionality.\u003c/li\u003e\n\u003cli\u003eKeycloak processes the attacker\u0026rsquo;s request without proper validation.\u003c/li\u003e\n\u003cli\u003eKeycloak\u0026rsquo;s email service sends an email with attacker-controlled content.\u003c/li\u003e\n\u003cli\u003eThe email is delivered to the targeted recipient(s).\u003c/li\u003e\n\u003cli\u003eThe recipient interacts with the malicious email (e.g., clicks a link, opens an attachment).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective (e.g., credential harvesting, malware infection).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to the distribution of phishing emails, malware, or other malicious content, potentially compromising user accounts or systems integrated with Keycloak. The impact includes potential reputational damage, data breaches, and financial losses. While the number of affected systems is not specified in the advisory, all Keycloak instances are potentially vulnerable if not patched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Keycloak to the latest patched version to remediate the email sending vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor Keycloak logs for suspicious email activity, as detected by the Sigma rule \u0026ldquo;Detect Suspicious Keycloak Email Activity\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on email sending functionality within Keycloak to mitigate abuse, and monitor for bypass attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T07:59:27Z","date_published":"2026-05-13T07:59:27Z","id":"https://feed.craftedsignal.io/briefs/2026-05-keycloak-email-vuln/","summary":"An anonymous, remote attacker can exploit a vulnerability in Keycloak to send arbitrary emails, potentially leading to phishing or social engineering attacks.","title":"Keycloak Vulnerability Allows Arbitrary Email Sending","url":"https://feed.craftedsignal.io/briefs/2026-05-keycloak-email-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Keycloak","version":"https://jsonfeed.org/version/1.1"}