CVE-2020-1758
Description
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Keycloak before 10.0.0 lacks TLS hostname verification when sending email via SMTP, enabling MITM attacks.
Root
Cause
CVE-2020-1758 affects Keycloak versions prior to 10.0.0. The flaw exists because the application does not perform TLS hostname verification when establishing an SMTP connection to send emails. Without verifying that the SMTP server's certificate matches the expected hostname, the connection is vulnerable to interception [1][2].
Exploitation
An attacker in a position to intercept network traffic between the Keycloak server and the SMTP server can perform a man-in-the-middle (MITM) attack. The attack requires the ability to spoof or substitute the SMTP server certificate. No authentication is needed beyond network access to the communication path [1].
Impact
If successfully exploited, an attacker can read, modify, or intercept email content sent by Keycloak, such as password reset emails or other notifications. This could lead to information disclosure or account compromise [1][2].
Mitigation
The issue is fixed in Keycloak version 10.0.0. Red Hat has also shipped fixes in Red Hat Single Sign-On 7.3 for RHEL 6, 7, and 8 (RHSA-2020:2106, RHSA-2020:2107, RHSA-2020:2108). Administrators unable to upgrade can mitigate by disabling all email notifications, including password reset emails [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-parentMaven | < 10.0.0 | 10.0.0 |
Affected products
2- Red Hat/keycloakv5Range: keycloak versions before 10.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-c597-f74m-jgc2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-1758ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- issues.redhat.com/browse/KEYCLOAK-13285ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.