Vulnerability	Vulnerable Version
M Exposure of Sensitive Information Through Environmental Variables org.keycloak:keycloak-core is an open source identity and access management solution. Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs. Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like `${env.VARNAME}` or `${PROPNAME}`, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties. How to fix Exposure of Sensitive Information Through Environmental Variables? Upgrade `org.keycloak:keycloak-core` to version 26.0.8 or higher.	[,26.0.8)

Exposure of Sensitive Information Through Environmental Variables

org.keycloak:keycloak-core is an open source identity and access management solution.

Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Environmental Variables through user-configurable URLs.

Exploiting this vulnerability is possible with the configuration of backchannel logout URLs or admin URLs, when including placeholders like ${env.VARNAME} or ${PROPNAME}, which are replaced with actual values during URL processing. An attacker can access sensitive server environment variables and system properties.

How to fix Exposure of Sensitive Information Through Environmental Variables?

Upgrade org.keycloak:keycloak-core to version 26.0.8 or higher.

[,26.0.8)

Go back to all versions of this package