Business Logic Vulnerability in Keycloak's Token Exchange Component
CVE-2025-14559

6.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 21 January 2026

What is CVE-2025-14559?

A significant flaw has been identified in the keycloak-services component of Keycloak. This vulnerability enables the issuance of access and refresh tokens for users who have been disabled, potentially allowing unauthorized access to resources and privileges that were previously revoked. The issue arises from a business logic error in the Token Exchange implementation, particularly when a privileged client executes the token exchange flow. This vulnerability poses a serious risk to user account integrity within applications utilizing Keycloak for authentication, making it essential for organizations to adopt mitigations to safeguard against unauthorized access.

References

https://access.redhat.com/security/cve/CVE-2025-14559

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2421711

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 21, 2026
Vulnerability Reserved
Dec 12, 2025

Credit

Red Hat would like to thank Aytac Kalinci for reporting this issue.

JSON