5.4

CVE-2025-1391

EPSS 0.09%
Veröffentlicht 17.02.2025 14:15:08
Zuletzt bearbeitet 06.05.2026 17:16:19
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Keycloak-services: improper authorization in keycloak organization mapper allows unauthorized organization claims

Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims

A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.

Mögliche Gegenmaßnahme

Keycloak Server: Install latest version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

CNA 5 VulnDex Vulnerability Enrichment 3

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/keycloak/keycloak

≫

Paket keycloak-services

Default Statusunaffected

Version 26.0.0

Version < 26.0.10

Status affected

HerstellerRed Hat

≫

Produkt Red Hat Build of Keycloak

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0.10-3

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0-11

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.0

Default Statusaffected

Version 26.0-12

Version < *

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemKeycloak

≫

Produkt Keycloak Server

Version >= 0.0.0, < 26.0.10

Version >= 26.1.0, < 26.1.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.252

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://access.redhat.com/security/cve/CVE-2025-1391

https://bugzilla.redhat.com/show_bug.cgi?id=2346082

https://access.redhat.com/errata/RHSA-2025:2545

https://access.redhat.com/errata/RHSA-2025:2544

https://github.com/keycloak/keycloak/issues/37169

https://github.com/keycloak/keycloak/pull/37235

https://github.com/keycloak/keycloak/security/advisories/GHSA-gvgg-2r3r-53x7

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-1391

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-1391

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-1391

EUVD