2421711 – (CVE-2025-14559) CVE-2025-14559 org.keycloak/keycloak-services: Keycloak keycloak-services: Business logic flaw allows unauthorized token issuance for disabled users

Bug 2421711 (CVE-2025-14559) - CVE-2025-14559 org.keycloak/keycloak-services: Keycloak keycloak-services: Business logic flaw allows unauthorized token issuance for disabled users

Summary: CVE-2025-14559 org.keycloak/keycloak-services: Keycloak keycloak-services: Bu...

Keywords:
Status:	NEW
Alias:	CVE-2025-14559
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-12 09:55 UTC by OSIDB Bzimport
Modified:	2026-01-21 06:09 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-12 09:55:07 UTC

A business logic vulnerability exists in the Token Exchange implementation within the keycloak-services component. When a privileged client invokes the token exchange flow, Keycloak correctly validates the client but fails to validate whether the target “requested_subject” user is enabled. This omission allows issuance of access and refresh tokens for users whose accounts have been explicitly disabled. An internal client with the impersonation permission can therefore resurrect “zombie accounts,” obtaining tokens for former employees or banned users despite account deactivation. This flaw enables unauthorized use of previously revoked privileges and relies solely on the presence of an internal high-privileged client, requiring no user interaction or direct authentication by the disabled user.

Note You need to log in before you can comment on or make changes to this bug.