CVE-2025-1391: Improper Access Control
A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.
AI Analysis
Technical Summary
This vulnerability in Keycloak's organization feature occurs at the mapper level, where a user can be incorrectly assigned to an organization if their username or email matches the organization's domain pattern. This results in tokens containing unauthorized organization claims. Applications that use these claims for authorization decisions may mistakenly grant access or privileges to users not legitimately belonging to those organizations. The issue affects Keycloak version 26.0.0. Red Hat has published security advisories and released updated Keycloak 26.0.10 images that fix this improper authorization flaw.
Potential Impact
The vulnerability allows unauthorized users to be incorrectly associated with organizations in tokens, potentially leading to unauthorized access or privilege escalation in applications relying on these claims for authorization. The CVSS 3.1 base score is 5.4 (medium severity), indicating limited confidentiality and integrity impact without availability impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
Red Hat has released fixed versions of Keycloak 26.0.10 that address this vulnerability. Users of affected Keycloak 26.0.0 should update to the latest Red Hat build of Keycloak 26.0.10 images as provided in the Red Hat advisories RHSA-2025:2544 and RHSA-2025:2545. Before updating, back up existing installations including configurations and databases. Patch status is confirmed as fixed by Red Hat. No additional mitigation steps are indicated beyond applying the official update.
CVE-2025-1391: Improper Access Control
Description
A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Keycloak's organization feature occurs at the mapper level, where a user can be incorrectly assigned to an organization if their username or email matches the organization's domain pattern. This results in tokens containing unauthorized organization claims. Applications that use these claims for authorization decisions may mistakenly grant access or privileges to users not legitimately belonging to those organizations. The issue affects Keycloak version 26.0.0. Red Hat has published security advisories and released updated Keycloak 26.0.10 images that fix this improper authorization flaw.
Potential Impact
The vulnerability allows unauthorized users to be incorrectly associated with organizations in tokens, potentially leading to unauthorized access or privilege escalation in applications relying on these claims for authorization. The CVSS 3.1 base score is 5.4 (medium severity), indicating limited confidentiality and integrity impact without availability impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
Red Hat has released fixed versions of Keycloak 26.0.10 that address this vulnerability. Users of affected Keycloak 26.0.0 should update to the latest Red Hat build of Keycloak 26.0.10 images as provided in the Red Hat advisories RHSA-2025:2544 and RHSA-2025:2545. Before updating, back up existing installations including configurations and databases. Patch status is confirmed as fixed by Red Hat. No additional mitigation steps are indicated beyond applying the official update.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- redhat
- Date Reserved
- 2025-02-17T08:56:42.702Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/errata/RHSA-2025:2544","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:2545","vendor":"Red Hat"},{"url":"https://access.redhat.com/security/cve/CVE-2025-1391","vendor":"Red Hat"}]
Threat ID: 68b36dfcad5a09ad00944d38
Added to database: 8/30/2025, 9:32:44 PM
Last enriched: 5/7/2026, 1:44:42 AM
Last updated: 5/10/2026, 1:04:19 PM
Views: 225
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.