Bug 2378852 (CVE-2025-7365)

Summary: CVE-2025-7365 keycloak: Phishing attack via email verification step in first login flow
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aschwart, boliveir, mposolda, pjindal, ssilvert, sthorger, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-07-08 20:32:39 UTC 
There is a flaw with the first login flow where, during a IdP login, an attacker with a registered account can initiate the process to merge accounts with an existing victim's account. The attacker will subsequently be prompted to "review profile" information, which allows the the attacker to modify their email address to that of a victim's account. This triggers a verification email sent to the victim's email address. If the victim clicks the verification link, the attacker can gain access to the victim's account. While not a zero-interaction attack, the attacker's email address is not directly present in the verification email content, making it a potential phishing opportunity.
Comment 1 errata-xmlrpc 2025-07-28 16:43:48 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 26

Via RHSA-2025:11987 https://access.redhat.com/errata/RHSA-2025:11987
Comment 2 errata-xmlrpc 2025-07-28 16:46:51 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 26.0

Via RHSA-2025:11986 https://access.redhat.com/errata/RHSA-2025:11986
Comment 3 errata-xmlrpc 2025-07-29 01:35:25 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 26

Via RHSA-2025:12015 https://access.redhat.com/errata/RHSA-2025:12015
Comment 4 errata-xmlrpc 2025-07-29 01:45:56 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 26.2

Via RHSA-2025:12016 https://access.redhat.com/errata/RHSA-2025:12016