Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-3137

CVE-2025-7365 org.keycloak/keycloak-services: Phishing attack via email verification step in first login flow [rhbk-26.2]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Upstream
    • CVE-2025-7365
    • 5.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
    • CWE-346
    • org.keycloak/keycloak-services
    • keycloak
    • False
    • Moderate

      Security Tracking Issue

      Do not make this issue public.

      Flaw:

      Phishing attack via email verification step in first login flow
      https://bugzilla.redhat.com/show_bug.cgi?id=2378852

      There is a flaw with the first login flow where, during a IdP login, an attacker with a registered account can initiate the process to merge accounts with an existing victim's account. The attacker will subsequently be prompted to "review profile" information, which allows the the attacker to modify their email address to that of a victim's account. This triggers a verification email sent to the victim's email address. If the victim clicks the verification link, the attacker can gain access to the victim's account. While not a zero-interaction attack, the attacker's email address is not directly present in the verification email content, making it a potential phishing opportunity.

      ~~~

      Tracker accuracy feedback form: https://docs.google.com/forms/d/e/1FAIpQLSfa6zTaEGohRdiIqGVAvWTSAL0kpO_DkkEICuIHzQHFwmKswg/viewform

              Unassigned Unassigned
              rh-ee-rgatica Robb Gatica
              Alexander Schwartz, Bruno Oliveira da Silva, Marek Posolda, Paramvir Jindal, Stan Silvert, Stian Thorgersen, Václav Muzikář
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: