CVE-2025-7365 Overview
A flaw in Red Hat Keycloak allows an authenticated attacker to hijack accounts during identity provider (IdP) login by abusing the account merge flow. When the attacker reaches the "review profile" step, they can change their email address to match a victim's account. Keycloak then sends a verification email to the victim. The message does not disclose the attacker's email, creating a phishing vector. If the victim clicks the verification link, the attacker gains access to the victim's account. The issue is tracked as [CWE-346] Origin Validation Error.
Critical Impact
Successful exploitation results in full account takeover of the victim's Keycloak account, exposing every application that relies on Keycloak for single sign-on.
Affected Products
- Red Hat Keycloak
- Red Hat Build of Keycloak
- Red Hat Single Sign-On deployments using the affected Keycloak versions
Discovery Timeline
- 2025-07-10 - CVE-2025-7365 published to the National Vulnerability Database (NVD)
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2025-7365
Vulnerability Analysis
The vulnerability resides in the Keycloak first-login flow used when a user authenticates through an external identity provider. When the authenticated user is prompted to merge with an existing local account, Keycloak presents a "review profile" page that permits editing the email address. The application then issues a verification email to the supplied address without binding the verification token to the originating IdP identity. The token therefore acts as proof of ownership for any address the attacker submits.
The verification email omits any reference to the attacker's identity or the IdP that initiated the flow. From the victim's perspective, the message looks like a legitimate verification request from a trusted service. Clicking the link completes the merge, binding the attacker's federated identity to the victim's local account.
Root Cause
The root cause is an origin validation failure [CWE-346] in the account-linking workflow. Keycloak treats successful clicks on a verification link as sufficient proof to merge a federated identity with a local account, without re-validating that the email under review belongs to the federated identity that initiated the login. The flow does not enforce a constraint that the reviewed email match the asserted identity from the IdP.
Attack Vector
Exploitation requires network access to the Keycloak login endpoint, valid credentials at a federated IdP, and user interaction from the victim. The attacker initiates an IdP login, triggers the account merge prompt, edits the email field on the review-profile page to the victim's address, and submits the form. Keycloak dispatches a verification email to the victim. When the victim clicks the link, Keycloak binds the attacker's federated identity to the victim's account, granting subsequent logins.
No verified public exploit code is available. Technical details and the upstream fix are tracked in GitHub Keycloak Issue #40446 and GitHub Keycloak Pull Request #40520.
Detection Methods for CVE-2025-7365
Indicators of Compromise
- Keycloak audit events of type UPDATE_PROFILE or FEDERATED_IDENTITY_LINK where the submitted email differs from the email asserted by the upstream IdP.
- SEND_VERIFY_EMAIL events targeting an address that already belongs to another active local account.
- VERIFY_EMAIL success followed by FEDERATED_IDENTITY_LINK for a user whose federated sub claim does not match the historical identity for that account.
- Unexpected logins to downstream applications from a new federated IdP for an existing user.
Detection Strategies
- Correlate Keycloak EVENT log entries to flag flows where the review-profile step changes the email to one that matches an existing user.
- Alert on verification emails sent to an address that already has a verified, active Keycloak account.
- Track the ratio of IDENTITY_PROVIDER_FIRST_LOGIN events that result in account merges and investigate spikes.
Monitoring Recommendations
- Forward Keycloak event logs and admin events to a centralized SIEM and retain them for at least 90 days.
- Notify account owners through an out-of-band channel whenever a new federated identity is linked to their account.
- Review identity broker configurations and enforce administrator approval for first-time IdP-to-local account merges.
How to Mitigate CVE-2025-7365
Immediate Actions Required
- Apply the fixed Keycloak builds shipped by Red Hat in RHSA-2025:11986, RHSA-2025:11987, RHSA-2025:12015, and RHSA-2025:12016.
- Audit existing account-to-IdP links for unexpected federated identities and unlink any that cannot be attributed to the legitimate user.
- Force a password reset and re-verification for users whose accounts were recently merged with a federated identity.
Patch Information
Red Hat has released fixed packages for Red Hat Build of Keycloak and Red Hat Single Sign-On. Refer to the Red Hat CVE Report for CVE-2025-7365 and Red Hat Bugzilla #2378852 for the complete list of fixed versions and applicability for each supported product stream. The upstream fix is delivered in Keycloak Pull Request #40520.
Workarounds
- Disable the "Update Profile On First Login" option on identity provider configurations, or set it to a value that prevents email editing during first login.
- Replace the default First Broker Login flow with a customized authentication flow that blocks email changes and requires administrator approval for account merges.
- Restrict which identity providers are allowed to link to existing local accounts until patched builds are deployed.
# Configuration example: harden the First Broker Login flow via kcadm.sh
# 1. Set Update Profile On First Login to OFF for the affected IdP
kcadm.sh update identity-provider/instances/<idp-alias> \
-r <realm> \
-s 'config.updateProfileFirstLoginMode="off"'
# 2. Disable automatic account linking by trust-on-first-use
kcadm.sh update identity-provider/instances/<idp-alias> \
-r <realm> \
-s 'config.trustEmail="false"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
