Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 36 maven packages depend on org.keycloak:keycloak-services (16 direct, 20 indirect)
Ecosystem-wide dependent count for version 26.2.0.
DescriptionCVE.org
A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.
AnalysisAI
CVE-2025-7365 is an account takeover vulnerability in Keycloak affecting authenticated users during IdP-initiated account merging workflows. An attacker with valid authentication can manipulate the account merge process to change an email address to match a victim's email, triggering a verification email to the victim that lacks sender attribution-enabling phishing. Successful exploitation grants the attacker full account access to the victim's Keycloak account with high confidentiality, integrity, and availability impact (CVSS 7.1). No public POC or active KEV status has been confirmed at this time, but the attack requires low technical complexity and user interaction (clicking a verification link).
Technical ContextAI
The vulnerability exists in Keycloak's identity provider (IdP) account linking and profile review functionality. When an authenticated user initiates an account merge with an external IdP, Keycloak prompts for profile review before finalizing the link. The flaw resides in insufficient validation of email ownership during this review stage (CWE-346: Classification as Trusted Source). An attacker can modify the email field to an arbitrary victim's email address without proof-of-ownership checks prior to sending the verification email. The verification email is generic and does not include the attacker's email address or session identifier, making it appear as a legitimate account recovery/verification message to the victim. This violates the principle of email-as-identity-proof without prior authorization and exploits Keycloak's trust in the review-profile workflow. Affected Keycloak versions incorporate this flaw in the account management and federation modules, typically instantiated via OpenID Connect or SAML IdP connectors.
RemediationAI
Immediate actions: (1) Disable account linking features if not operationally required, or restrict to trusted IdPs only via Keycloak ACLs. (2) Review and enforce email verification policies—require email ownership validation (confirmation token sent to the email address being set) before finalizing any email change during account merge, separate from the initial account linking verification. (3) Audit logs: enable and monitor account linking and email modification events for suspicious patterns. (4) User education: warn users not to click verification links from unexpected emails or to verify sender identity. (5) Apply patches from Keycloak security advisories once available (check https://www.keycloak.org/security or your vendor's advisory database for CVE-2025-7365 patch release details). Long-term: implement CWE-346 mitigations—require proof-of-ownership for any email address modifications in sensitive workflows, implement rate limiting on verification email sends per account/IP, and use email headers (From/Reply-To) that clearly identify the Keycloak instance and requester.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allVendor StatusVendor
Debian
Bug #1088287| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-20994
GHSA-xhpr-465j-7p9q