CVE-2025-7365

Name of the Vulnerable Software and Affected Versions: Keycloak (affected versions not specified)

Description: A flaw exists in Keycloak that allows an authenticated attacker to potentially gain access to a victim's account. During an identity provider (IdP) login, if an attacker attempts to merge accounts with an existing account, they are prompted to review profile information. This allows the attacker to modify their email address to match a victim's, triggering a verification email sent to the victim. The attacker's email address is not included in the verification email, creating a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim’s account.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.