Account Merge Vulnerability in Keycloak by Red Hat
CVE-2025-7365

5.4MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 10 July 2025

What is CVE-2025-7365?

A security flaw in Keycloak enables authenticated attackers to exploit the account merging feature during identity provider logins. By attempting to merge their account with that of another user, attackers can alter their profile information, specifically changing their email address to match the victim's. This modification triggers a verification email sent to the victim without disclosing the attacker's email. If the victim interacts with the verification link, the attacker can gain unauthorized access to their account, presenting significant security risks including potential phishing attempts.

References

https://access.redhat.com/security/cve/CVE-2025-7365

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2378852

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 10, 2025
Vulnerability Reserved
Jul 8, 2025