5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-7365

GHSA ID

GHSA-gj52-35xm-gxjh

EPSS Score

0.01969%

CWE

CWE-346

Published

7/10/2025

Updated

7/10/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-7365

CVE-2025-7365: Keycloak vulnerable to phishing attacks through its Review Profile section

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-7365

GHSA ID

GHSA-gj52-35xm-gxjh

EPSS Score

0.01969%

CWE

CWE-346

Published

7/10/2025

Updated

7/10/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-services	maven	< 26.3.0	26.3.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a logic flaw in the 'First Broker Login' authentication flow in Keycloak, which occurs when a user logs in via an external Identity Provider (IdP) for the first time. The root cause is a lack of communication between two authenticators in the flow, creating a Time-of-check to Time-of-use (TOCTOU) vulnerability.

Profile Review (IdpReviewProfileAuthenticator.action): During the login flow, the attacker is presented with a 'Review Profile' screen. Here, they can modify their profile information, including their email address. The attacker changes the email to that of a victim. In the vulnerable version, this change was not flagged or recorded as a manual user modification.
Email Verification (IdpEmailVerificationAuthenticator.authenticateImpl): This authenticator executes after the profile review. It is designed to verify the user's email by sending a confirmation link. The flaw was that this function would trust the email address it found in the authentication session, unaware that it had been manually altered by the attacker in the previous step. Consequently, it would send a verification email to the victim's address.

The patch addresses this by introducing a signaling mechanism. The IdpReviewProfileAuthenticator now sets a flag (UPDATE_PROFILE_EMAIL_CHANGED) in the authentication session when the email is changed. The IdpEmailVerificationAuthenticator was modified to check for this flag. If the flag is present, it aborts the email verification process, thereby neutralizing the phishing threat. The exploitation of this vulnerability would involve these two functions executing in sequence.

Vulnerable functions

org.keycloak.authentication.authenticators.broker.IdpEmailVerificationAuthenticator.authenticateImpl

services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.java

This function was vulnerable because it would send an email verification link to the email address present in the authentication session without verifying if the email had been modified by the user in a previous step. An attacker could modify the email to a victim's address in the 'Review Profile' step, and this function would then send a verification email to the victim, enabling the phishing attack. The patch prevents this by checking for a session note that indicates the email was changed and skipping the verification if so.

org.keycloak.authentication.authenticators.broker.IdpReviewProfileAuthenticator.action

services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java

This function processes the user's input from the 'Review Profile' page. The vulnerability was not a flaw in this function's logic itself, but it served as the entry point for the attacker's malicious input (the victim's email). The original implementation did not flag that the email address was modified by the user, which allowed the subsequent authenticator (`IdpEmailVerificationAuthenticator`) to be exploited. The patch adds a session note to track this change.

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in K*y*lo*k. W**n *n *ut**nti**t** *tt**k*r *tt*mpts to m*r** ***ounts wit* *not**r *xistin* ***ount *urin* *n i**ntity provi**r (I*P) lo*in, t** *tt**k*r will su*s*qu*ntly ** prompt** to "r*vi*w pro*il*" in*orm*tion. T*is vuln*r**il

Reasoning

T** vuln*r**ility is * lo*i* *l*w in t** '*irst *rok*r Lo*in' *ut**nti**tion *low in K*y*lo*k, w*i** o**urs w**n * us*r lo*s in vi* *n *xt*rn*l I**ntity Provi**r (I*P) *or t** *irst tim*. T** root **us* is * l**k o* *ommuni**tion **tw**n two *ut**nti

5.4

Basic Information

Concerned about an active attack path?

CVE-2025-7365: Keycloak vulnerable to phishing attacks through its Review Profile section

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI