CVE-2025-7365 Information

Jul 12, 2025 cve

Description

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login the attacker will subsequently be prompted to eview profile\ information. This vulnerability allows the attacker to modify their email address to match that of a victim’s account triggering a verification email sent to the victim’s email address. The attacker’s email address is not present in the verification email content making it a potential phishing opportunity. If the victim clicks the verification link the attacker can gain access to the victim’s account.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

Reference

https://access.redhat.com/security/cve/CVE-2025-7365 https://bugzilla.redhat.com/show_bug.cgi?id=2378852

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4

CNNVD-202507-1498 (Published: 2025-07-10)

Share on: