CVE-2025-7365

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

10/07/2025

Last modified:

10/07/2025

Description

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim&#39;s account, triggering a verification email sent to the victim&#39;s email address. The attacker&#39;s email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim&#39;s account.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 5.40 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): Low
Availability (A): None

Base Score 3.x

5.40

Severity 3.x

MEDIUM

CVE-2025-7365

Description

Impact

References to Advisories, Solutions, and Tools