CVE-2025-7365

| EUVD-2025-20994 HIGH
2025-07-10 [email protected] GHSA-xhpr-465j-7p9q
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-20994
CVE Published
Jul 10, 2025 - 15:15 nvd
HIGH 7.1

Tags

Information Disclosure Authentication Bypass Keycloak Redhat

Description

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.

Analysis

CVE-2025-7365 is an account takeover vulnerability in Keycloak affecting authenticated users during IdP-initiated account merging workflows. An attacker with valid authentication can manipulate the account merge process to change an email address to match a victim's email, triggering a verification email to the victim that lacks sender attribution-enabling phishing. Successful exploitation grants the attacker full account access to the victim's Keycloak account with high confidentiality, integrity, and availability impact (CVSS 7.1). No public POC or active KEV status has been confirmed at this time, but the attack requires low technical complexity and user interaction (clicking a verification link).

Technical Context

The vulnerability exists in Keycloak's identity provider (IdP) account linking and profile review functionality. When an authenticated user initiates an account merge with an external IdP, Keycloak prompts for profile review before finalizing the link. The flaw resides in insufficient validation of email ownership during this review stage (CWE-346: Classification as Trusted Source). An attacker can modify the email field to an arbitrary victim's email address without proof-of-ownership checks prior to sending the verification email. The verification email is generic and does not include the attacker's email address or session identifier, making it appear as a legitimate account recovery/verification message to the victim. This violates the principle of email-as-identity-proof without prior authorization and exploits Keycloak's trust in the review-profile workflow. Affected Keycloak versions incorporate this flaw in the account management and federation modules, typically instantiated via OpenID Connect or SAML IdP connectors.

Affected Products

Keycloak (all versions with account linking/federation features; no specific version range provided in description—likely 15.x through current 25.x based on feature presence). Affected CPE would be: cpe:2.3:a:keycloak:keycloak:*:*:*:*:*:*:*:*. The vulnerability specifically affects deployments that: (1) enable account linking during IdP login, (2) implement the 'review profile' step in the authentication flow, (3) allow authenticated users to modify email fields without re-verification. No vendor advisory links or patched version information was provided; consult Keycloak security advisories and release notes for specific fixed versions (likely in next maintenance/minor release).

Remediation

Immediate actions: (1) Disable account linking features if not operationally required, or restrict to trusted IdPs only via Keycloak ACLs. (2) Review and enforce email verification policies—require email ownership validation (confirmation token sent to the email address being set) before finalizing any email change during account merge, separate from the initial account linking verification. (3) Audit logs: enable and monitor account linking and email modification events for suspicious patterns. (4) User education: warn users not to click verification links from unexpected emails or to verify sender identity. (5) Apply patches from Keycloak security advisories once available (check https://www.keycloak.org/security or your vendor's advisory database for CVE-2025-7365 patch release details). Long-term: implement CWE-346 mitigations—require proof-of-ownership for any email address modifications in sensitive workflows, implement rate limiting on verification email sends per account/IP, and use email headers (From/Reply-To) that clearly identify the Keycloak instance and requester.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Vendor Status

Debian

Bug #1088287
keycloak
Release Status Fixed Version Urgency
open - -

Share

CVE-2025-7365 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy