CVE-2025-7365

low-risk

Published 2025-07-10

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.1/10 High

NETWORK / HIGH complexity

Affected Products (1)

Keycloak

Affected Vendors

Redhat

References (6)

Vendor Advisory https://access.redhat.com/errata/RHSA-2025:11986

Vendor Advisory https://access.redhat.com/errata/RHSA-2025:11987

Vendor Advisory https://access.redhat.com/errata/RHSA-2025:12015

Vendor Advisory https://access.redhat.com/errata/RHSA-2025:12016

Vendor Advisory https://access.redhat.com/security/cve/CVE-2025-7365

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2378852

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal