CVE-2025-7365

Published Jul 10, 2025

Last updated 3 days ago

CVSS medium 5.4

Overview

Description
A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.
Source
secalert@redhat.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Primary
Base score
5.4
Impact score
4.2
Exploitability score
1.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Severity
MEDIUM

Weaknesses

secalert@redhat.com
CWE-346

Social media

Hype score
Not currently trending

  1. CVE-2025-7365 Account Takeover Vulnerability in Keycloak via Malicious Profile Merge https://t.co/zQf4kesytJ Vulnerability Notification: https://t.co/xhLrNnfyrO

    @VulmonFeeds

    10 Jul 2025

    23 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.