Description

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.

INFO

Published Date :

2025-07-10T14:20:45.775Z

Last Modified :

2026-01-08T02:59:45.463Z

Source :

redhat
AFFECTED PRODUCTS

The following products are affected by CVE-2025-7365 vulnerability.

Vendors Products
Redhat
  • Build Keycloak
  • Keycloak
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-7365.

URL Resource
https://access.redhat.com/errata/RHSA-2025:11986 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:11987 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:12015 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:12016 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2025-7365 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2378852 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-7365 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-7365 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact