CVE-2025-7365: Origin Validation Error
A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.
AI Analysis
Technical Summary
This vulnerability in Keycloak arises when an authenticated attacker merges accounts during an identity provider login and is prompted to review profile information. The attacker can change their email address to match a victim's, causing a verification email to be sent to the victim. The verification email omits the attacker's email address, enabling a phishing attack. Successful exploitation allows the attacker to gain access to the victim's account. The CVSS 3.1 score is 7.1 (high), reflecting network attack vector, high impact on confidentiality, integrity, and availability, and requiring low privileges and user interaction. Red Hat has published security advisories and released fixed Keycloak 26.0.13 images to mitigate this vulnerability.
Potential Impact
An attacker who is already authenticated can exploit this flaw to impersonate a victim by modifying their email address to the victim's during account merging. This causes a verification email to be sent to the victim, which lacks the attacker's email address, potentially tricking the victim into clicking the verification link. If the victim does so, the attacker gains access to the victim's account, compromising confidentiality, integrity, and availability of the victim's account data.
Mitigation Recommendations
Red Hat has released updated Keycloak 26.0.13 images that fix this vulnerability. Users should back up their existing installations and apply the update as soon as possible. The vendor advisory provides official patches and recommends updating to the fixed versions. No alternative mitigations or workarounds are specified. Patch status is confirmed as fixed in the updated Keycloak 26.0.13 images.
CVE-2025-7365: Origin Validation Error
Description
A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Keycloak arises when an authenticated attacker merges accounts during an identity provider login and is prompted to review profile information. The attacker can change their email address to match a victim's, causing a verification email to be sent to the victim. The verification email omits the attacker's email address, enabling a phishing attack. Successful exploitation allows the attacker to gain access to the victim's account. The CVSS 3.1 score is 7.1 (high), reflecting network attack vector, high impact on confidentiality, integrity, and availability, and requiring low privileges and user interaction. Red Hat has published security advisories and released fixed Keycloak 26.0.13 images to mitigate this vulnerability.
Potential Impact
An attacker who is already authenticated can exploit this flaw to impersonate a victim by modifying their email address to the victim's during account merging. This causes a verification email to be sent to the victim, which lacks the attacker's email address, potentially tricking the victim into clicking the verification link. If the victim does so, the attacker gains access to the victim's account, compromising confidentiality, integrity, and availability of the victim's account data.
Mitigation Recommendations
Red Hat has released updated Keycloak 26.0.13 images that fix this vulnerability. Users should back up their existing installations and apply the update as soon as possible. The vendor advisory provides official patches and recommends updating to the fixed versions. No alternative mitigations or workarounds are specified. Patch status is confirmed as fixed in the updated Keycloak 26.0.13 images.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- redhat
- Date Reserved
- 2025-07-08T18:22:15.734Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/errata/RHSA-2025:11986","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:11987","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:12015","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:12016","vendor":"Red Hat"},{"url":"https://access.redhat.com/security/cve/CVE-2025-7365","vendor":"Red Hat"}]
Threat ID: 686fceada83201eaaca818f9
Added to database: 7/10/2025, 2:31:09 PM
Last enriched: 5/7/2026, 1:45:27 AM
Last updated: 5/9/2026, 1:59:53 AM
Views: 162
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.