CVE-2025-7365 HIGH

CVE-2025-7365: Keycloak: phishing attack via email verification step in first login flow

Vendor Red Hat
Product Red Hat build of Keycloak 26
Weakness CWE-346 · Origin validation
Published July 10, 2025
Last update May 6, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.

Key dates

02Disclosure timeline

July 10, 2025 CVE published
May 6, 2026 Record updated