logo

Database

Improper authorization control for web services In org.keycloak:keycloak-services

Description

Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims This vulnerability is caused by the improper mapping of users to organizations based solely on email/username patterns. The issue is limited to the token claim level, meaning the user is not truly added to the organization but may appear as such in applications relying on these claims. The risk increases in scenarios where self-registration is enabled and unrestricted, allowing an attacker to exploit the naming pattern. The issue is mitigated if admins restrict registration or use strict validation mechanisms.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-13912. NVD-2025-13913. OSV-2025-13914. GHSA-gvgg-2r3r-53x75. GCVE-2025-13916. access.redhat.com7. ACCESS-CVE-2025-1391

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-gvgg-2r3r-53x72. https://github.com/keycloak/keycloak/commit/5aa2b4c75bb474303ab807017582bc01a9f7e3783. https://bugzilla.redhat.com/show_bug.cgi?id=2346082

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.