CVE-2025-7365 is a vulnerability identified in Red Hat's build of Keycloak version 26.2.0 and earlier, involving an origin validation error during the account merge process in identity provider (IdP) login flows. When an authenticated attacker attempts to merge their account with another existing account, they are prompted to review profile information. Exploiting this flaw, the attacker can modify their email address to match that of a victim's account. This action triggers a verification email sent to the victim’s email address, but critically, the verification email does not include the attacker’s email address or any indication of the attacker's involvement. This omission creates a phishing vector where the victim may be deceived into clicking the verification link, inadvertently granting the attacker access to their account. The vulnerability impacts confidentiality, integrity, and availability by enabling unauthorized account takeover. The CVSS 3.1 score of 7.1 reflects a high severity, with attack vector being network-based, requiring low privileges, user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild, the potential for phishing-based exploitation is significant, especially in environments where Keycloak is used as a central identity and access management solution. The flaw stems from insufficient validation of the origin and content of email verification requests during the account merge process, allowing manipulation of email fields without proper verification or user notification. This vulnerability highlights the risks in complex identity federation and account linking mechanisms when proper validation and user notification controls are absent.

For European organizations, the impact of CVE-2025-7365 can be substantial. Keycloak is widely used in enterprise and public sector environments across Europe for single sign-on (SSO) and identity federation. Successful exploitation can lead to unauthorized access to user accounts, resulting in data breaches, loss of sensitive information, and potential lateral movement within networks. The phishing nature of the attack increases the risk of social engineering, potentially compromising high-value targets such as government officials, financial institutions, and healthcare providers. The attack undermines trust in identity management systems and can disrupt business operations due to account lockouts or remediation efforts. Given the high confidentiality and integrity impact, organizations may face regulatory penalties under GDPR if personal data is compromised. The requirement for user interaction means that phishing awareness and training are critical to reduce successful exploitation. The vulnerability also poses risks to cloud-based services and SaaS platforms relying on Keycloak for authentication, amplifying the potential attack surface across European digital infrastructure.

1. Apply official patches from Red Hat as soon as they become available to address the origin validation flaw in Keycloak. 2. Until patches are deployed, restrict or disable account merge functionality in Keycloak to limit exposure. 3. Implement enhanced logging and monitoring for account merge and email verification activities to detect suspicious behavior. 4. Modify email verification templates to include clear information about the source of the request and the email address involved, reducing phishing potential. 5. Enforce multi-factor authentication (MFA) on all accounts to add an additional layer of security against unauthorized access. 6. Conduct targeted user awareness training focusing on phishing risks related to verification emails and account merges. 7. Review and tighten permissions for users allowed to perform account merges, limiting this capability to trusted administrators. 8. Employ anomaly detection systems to identify unusual account merge or verification link clicks. 9. Coordinate with incident response teams to prepare for potential phishing campaigns exploiting this vulnerability. 10. Regularly audit identity provider configurations and update security policies to incorporate lessons learned from this vulnerability.