Account Merge Vulnerability in Keycloak by Red Hat
CVE-2025-7365

7.1HIGH

Key Information:

Status
Red Hat Build Of Keycloak 26
Red Hat Build Of Keycloak 26.0
Red Hat Build Of Keycloak 26.2
Vendor
CVE Published:
10 July 2025

What is CVE-2025-7365?

A security flaw in Keycloak enables authenticated attackers to exploit the account merging feature during identity provider logins. By attempting to merge their account with that of another user, attackers can alter their profile information, specifically changing their email address to match the victim's. This modification triggers a verification email sent to the victim without disclosing the attacker's email. If the victim interacts with the verification link, the attacker can gain unauthorized access to their account, presenting significant security risks including potential phishing attempts.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://access.redhat.com/errata/RHSA-2025:11986
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:11987
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:12015
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.