CVE-2025-7365 is a medium-severity vulnerability affecting the Red Hat build of Keycloak version 26, an open-source identity and access management solution widely used for single sign-on and identity federation. The flaw arises during the process where an authenticated attacker attempts to merge their account with another existing account via an identity provider (IdP) login. After initiating the merge, the attacker is prompted to "review profile" information, where they can modify their email address to match that of a victim's account. This triggers a verification email sent to the victim's email address. Critically, the verification email does not include the attacker’s email address, which creates a phishing vector: the victim may be misled into clicking the verification link, inadvertently granting the attacker access to their account. The vulnerability exploits a logic flaw in origin validation and email verification during account merging, allowing an attacker with low privileges (authenticated user) to escalate access by hijacking victim accounts. The CVSS v3.1 score is 5.4 (medium), reflecting network attack vector, high attack complexity, low privileges required, and user interaction needed. Confidentiality impact is high as unauthorized access to victim accounts is possible, integrity impact is low, and availability is unaffected. No known exploits in the wild have been reported yet, and no patches or mitigations are linked in the provided data, indicating a need for prompt vendor response and user vigilance.

For European organizations, this vulnerability poses a significant risk to identity and access management security, especially for enterprises and public sector entities relying on Red Hat Keycloak for authentication and user federation. Successful exploitation could lead to unauthorized account takeover, exposing sensitive personal and corporate data, potentially violating GDPR requirements on data protection and user consent. The phishing aspect increases the risk of social engineering attacks targeting employees or customers, undermining trust in organizational security. Compromised accounts could be leveraged to access internal systems, escalate privileges, or conduct further attacks such as data exfiltration or fraud. Given the widespread adoption of Keycloak in European government agencies, financial institutions, and large enterprises, the vulnerability could disrupt critical services and damage reputations. The requirement for user interaction (victim clicking the verification link) means that user awareness and training are crucial components of risk mitigation.

Organizations should immediately review their Keycloak deployments and apply any vendor-released patches or updates addressing CVE-2025-7365 once available. In the interim, administrators can mitigate risk by disabling account merging features or restricting them to trusted users only. Implementing enhanced monitoring and alerting on account merge activities and verification email triggers can help detect suspicious behavior. Strengthening email verification processes to include clear identification of the request origin and the requester's email address can reduce phishing risks. User education campaigns should emphasize caution when interacting with unexpected verification emails, especially those related to account changes. Additionally, organizations should consider multi-factor authentication (MFA) enforcement on account changes and merges to add an extra security layer. Reviewing and tightening identity provider configurations and access policies can further reduce attack surface. Finally, incident response plans should be updated to address potential account takeover scenarios stemming from this vulnerability.