CVE-2025-1391 – org.keycloak:keycloak-services

Package

Manager: maven
Name: org.keycloak:keycloak-services
Vulnerable Version: >=26.1.0 <26.1.3 || >=0 <26.0.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00019 pctl0.03336

Details

Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims This vulnerability is caused by the improper mapping of users to organizations based solely on email/username patterns. The issue is limited to the token claim level, meaning the user is not truly added to the organization but may appear as such in applications relying on these claims. The risk increases in scenarios where self-registration is enabled and unrestricted, allowing an attacker to exploit the naming pattern. The issue is mitigated if admins restrict registration or use strict validation mechanisms.

Metadata

Created: 2025-03-10T21:09:43Z
Modified: 2025-03-10T21:09:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-gvgg-2r3r-53x7/GHSA-gvgg-2r3r-53x7.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-gvgg-2r3r-53x7
Finding: F039
Auto approve: 1