CVE-2025-7365 is a vulnerability identified in Red Hat's build of Keycloak version 26.2.0 and earlier, involving an origin validation error during the account merge process in identity provider (IdP) login flows. When an authenticated attacker attempts to merge their account with another existing account, they are prompted to review profile information. The attacker can exploit this step to modify their email address to that of a victim’s account. This action triggers a verification email sent to the victim’s email address. Critically, the verification email does not disclose the attacker’s email address, which can mislead the victim into believing the email is legitimate and related to their own account activity. If the victim clicks the verification link, the attacker gains unauthorized access to the victim’s account, effectively bypassing normal authentication controls. The vulnerability has a CVSS 3.1 base score of 5.4, reflecting medium severity, with attack vector as network, requiring low privileges but user interaction, and high attack complexity. The impact primarily affects confidentiality by enabling account takeover, with limited integrity impact and no availability impact. No public exploits have been reported yet, but the phishing vector increases the risk of social engineering attacks. This vulnerability highlights a weakness in how Keycloak validates origin and handles email verification during account merges, potentially allowing attackers to impersonate victims and escalate privileges within affected systems.

For European organizations, the primary impact of CVE-2025-7365 is the risk of unauthorized account takeover through social engineering and phishing. Compromised accounts can lead to data breaches, unauthorized access to sensitive information, and potential lateral movement within corporate networks. Organizations relying on Keycloak for identity and access management, especially those integrating multiple identity providers and enabling account merges, face increased risk. The phishing aspect may also erode user trust and increase the likelihood of successful spear-phishing campaigns targeting employees. Confidentiality is most at risk, as attackers can gain access to victim accounts without alerting the victim to the attacker’s identity. The medium severity rating suggests that while the vulnerability is not trivially exploitable, the combination of authentication and user interaction requirements means targeted attacks could succeed. This is particularly concerning for sectors with high-value targets such as finance, government, and critical infrastructure in Europe. Additionally, the lack of known exploits in the wild provides a window for proactive mitigation before widespread exploitation occurs.

1. Apply patches or updates from Red Hat as soon as they become available to address this vulnerability in Keycloak. 2. Until patches are available, restrict or disable account merge functionality where possible, especially for users with lower privilege levels. 3. Implement strict email verification policies and monitor verification email templates to ensure they include clear sender information and warnings about unsolicited verification requests. 4. Educate users to recognize suspicious verification emails, emphasizing that verification requests should be verified through separate communication channels before clicking links. 5. Enhance monitoring and alerting for unusual account merge activities and verification email triggers within Keycloak logs. 6. Consider implementing multi-factor authentication (MFA) on account merges or profile changes to add an additional layer of security. 7. Review and tighten identity provider integration configurations to minimize attack surface related to account merges. 8. Conduct regular security audits and penetration testing focused on identity management workflows to detect similar logic flaws.