CVE-2025-7365 is a vulnerability identified in Red Hat's build of Keycloak version 26.2.0 and earlier, involving an origin validation error during the account merge process in identity provider (IdP) login flows. When an authenticated attacker attempts to merge their account with another existing account, they are prompted to review profile information. The flaw allows the attacker to modify their email address to that of a victim's account. This triggers a verification email sent to the victim's email address; critically, the verification email does not disclose the attacker's email address, which can deceive the victim into believing the email is legitimate. If the victim clicks the verification link, the attacker can complete the merge and gain unauthorized access to the victim's account. The vulnerability impacts confidentiality, integrity, and availability by enabling account takeover. The CVSS 3.1 score is 7.1 (high), reflecting network attack vector, low privileges required, user interaction needed, and high impact on all security properties. No public exploits are known at this time. The vulnerability arises from insufficient validation of the origin and email address during the merge process, allowing email spoofing and phishing attacks to facilitate account compromise.

This vulnerability poses a significant risk to organizations using Red Hat's Keycloak 26 or earlier versions for identity and access management. Successful exploitation can lead to account takeover, compromising user confidentiality and integrity, and potentially allowing attackers to escalate privileges or access sensitive resources. The phishing nature of the attack increases the likelihood of victim interaction, making social engineering a critical factor. Organizations relying on Keycloak for single sign-on or federated identity management could see widespread impact, including unauthorized access to internal applications, data breaches, and disruption of services. The attack could also undermine user trust and lead to regulatory compliance issues if personal data is compromised. Given Keycloak's use in enterprise and government sectors, the impact could be severe, especially where identity federation is critical.

Organizations should immediately audit their Keycloak deployments to identify affected versions (up to 26.2.0) and plan for prompt patching once Red Hat releases an official fix. Until patches are available, administrators should consider disabling account merge functionality or restricting it to highly trusted users. Implement enhanced monitoring and alerting on account merge and profile review activities to detect suspicious behavior. Educate users about phishing risks related to verification emails and encourage verification of email authenticity before clicking links. Employ multi-factor authentication (MFA) to reduce the risk of account takeover even if credentials are compromised. Review and tighten email verification workflows to ensure the origin and email addresses are properly validated. Additionally, consider deploying email security solutions that can detect and block phishing attempts triggered by this vulnerability.