CVE-2025-1391

MEDIUM

Keycloak Services 26.1.0-26.1.2 - Improper Access Control via Organization Domain Pattern Matching

Title source: llm

Description

A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.

References (6)

Core 6

Core References

https://github.com/keycloak/keycloak/issues/37169

https://github.com/keycloak/keycloak/pull/37235

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:2544

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:2545

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2025-1391

Issue Tracking issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2346082

Scores

CVSS v3 5.4

EPSS 0.0009

EPSS Percentile 25.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (5)

org.keycloak/keycloak-services 26.1.0 - 26.1.3Maven

Red Hat/Red Hat Build of Keycloak

Red Hat/Red Hat build of Keycloak 26.0 26.0-11

Red Hat/Red Hat build of Keycloak 26.0 26.0-12

Red Hat/Red Hat build of Keycloak 26.0 26.0.10-3

Published Feb 17, 2025

Tracked Since Feb 18, 2026