CVE-2025-7365
HIGHKeycloak - Authenticated Account Takeover via Identity Provider Login Email Verification
Title source: llmDescription
A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.
References (8)
Core 8
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:11986
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:11987
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:12015
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:12016
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2025-7365
Issue Tracking, Vendor Advisory issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2378852
Scores
CVSS v3
7.1
EPSS
0.0022
EPSS Percentile
12.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-346
Status
published
Products (8)
org.keycloak/keycloak-services
0 - 26.0.13Maven
Red Hat/Red Hat build of Keycloak 26
Red Hat/Red Hat build of Keycloak 26.0
26.0-16
Red Hat/Red Hat build of Keycloak 26.0
26.0-17
Red Hat/Red Hat build of Keycloak 26.0
26.0.13-2
Red Hat/Red Hat build of Keycloak 26.2
26.2-6
Red Hat/Red Hat build of Keycloak 26.2
26.2.6-1
redhat/keycloak
Published
Jul 10, 2025
Tracked Since
Feb 18, 2026