Security

In Keycloak in versions prior to 26.3.0 a high severity vulnerability CVE-2025-7365 was detected. This vulnerability allows an authenticated attacker to exploit the account merging process during an identity provider login. By modifying their email to match that of a victim, the attacker triggers a verification email sent to the victim without revealing their own address. To address this issue users must upgrade to version 26.3.0. For more details, visit https://www.cvedetails.com/cve/CVE-2025-7365/.

In authentik versions prior to 2025.4.3 and 2025.6.3 a medium severity vulnerability CVE-2025-52553 was detected. This vulnerability allows unauthorized users to reuse session tokens tied to RAC (Remote Access Component) endpoints by copying URLs containing these tokens, potentially accessing the same session during actions like screensharing. To address this issue, users should upgrade authentik to versions 2025.4.3 or 2025.6.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-52553.

In Vault Community and Vault Enterprise versions prior to 1.20.0 a low severity vulnerability CVE-2025-4656 was detected. This vulnerability allows Vault operators to trigger denial-of-service (DoS) conditions by cancelling rekey or recovery key operations without proper control. To address this issue, users should upgrade Vault Community Edition to versions 1.20.0, Vault Enterprise to versions 1.20.0, 1.19.6, 1.18.11, 1.17.17 or 1.16.22. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4656.

In Traefik versions 2.11.24 and prior, 3.4.0 and prior a low severity vulnerability CVE-2025-47952 was detected. This vulnerability allows attackers to bypass the middleware chain and target unintended backends by exploiting URL-encoded strings in the request path when PathPrefix, Path, or PathRegex matchers are used. To address this issue, users should upgrade to versions 2.11.25, 3.4.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-47952.

In Vault Community Edition versions prior to 1.19.3, and in Vault Enterprise versions from 0.3.0 up to 1.19.2, 1.18.8, 1.17.15 and 1.16.19 a medium severity vulnerability CVE-2025-4166 was detected. This vulnerability allows attackers to unintentionally expose sensitive information in server and audit logs when submitting malformed payloads via the REST API during secret creation or updates. To address this issue, users should upgrade Vault Community to versions 1.19.3 or Vault Enterprise to versions 1.19.3, 1.18.9, 1.17.16 or 1.16.20. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4166.

In Vault Community Edition versions from 0.10.0 up to 1.19.0, and Vault Enterprise from 0.10.0 up to 1.19.0, 1.18.6, 1.17.13 and 1.16.17 a medium severity vulnerability CVE-2025-3879 was detected. This vulnerability allows attackers to bypass the `bound_locations` parameter during login due to improper validation of claims in Azure-issued tokens within the Azure Auth method. To address this issue, users should upgrade Vault Community to versions 1.19.1 or Vault Enterprise to versions 1.19.1, 1.18.7, 1.17.14 or 1.16.18. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3879.

In Traefik versions prior to 2.11.24, 3.3.6 and 3.4.0-rc2 a high severity vulnerability CVE-2025-32431 was detected. This vulnerability allows attackers to bypass middleware chains by exploiting path matchers (PathPrefix, Path, or PathRegex) when a request URL contains `/../`, potentially targeting unintended backends. To address this issue, users should upgrade Traefik to versions 2.11.24, 3.3.6 or 3.4.0-rc2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-32431.

In OpenVPN versions 2.6.1 through 2.6.13 a high severity vulnerability CVE-2025-2704 was detected. This vulnerability allows remote attackers to trigger a denial of service by corrupting and replaying network packets during the early TLS-crypt-v2 handshake phase when OpenVPN is operating in server mode. To address this issue, users should upgrade OpenVPN to versions 2.6.14 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2704.

In Open Webui versions 0.3.32 a high severity vulnerability CVE-2024-12537 was detected. This vulnerability allows any unauthenticated attacker to access the api/v1/utils/code/format endpoint. If a malicious actor sends a POST request with excessive content, the server could become unresponsive or experience significant performance degradation, potentially causing service interruptions for legitimate users. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-12537.