Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN491 _____________________________________________________________________ DATE : 01/08/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running keycloak-services (Maven) versions prior to 26.0.13, 26.2.6, 26.3.0. ===================================================================== https://github.com/keycloak/keycloak/security/advisories/GHSA-xhpr-465j-7p9q https://github.com/keycloak/keycloak/security/advisories/GHSA-27gp-8389-hm4w _____________________________________________________________________ Keycloak phishing attack via email verification step in first login flow Moderate severity GitHub Reviewed Published Jul 29, 2025 in keycloak/keycloak • Updated Jul 30, 2025 Vulnerability details Package org.keycloak:keycloak-services (Maven) Affected versions < 26.0.13 >= 26.2.0, < 26.2.6 Patched versions 26.0.13 26.2.6 Description There is a flaw with the first login flow where, during a IdP login, an attacker with a registered account can initiate the process to merge accounts with an existing victim's account. The attacker will subsequently be prompted to "review profile" information, which allows the the attacker to modify their email address to that of a victim's account. This triggers a verification email sent to the victim's email address. If the victim clicks the verification link, the attacker can gain access to the victim's account. While not a zero-interaction attack, the attacker's email address is not directly present in the verification email content, making it a potential phishing opportunity. This issue has been fixed in versions 26.0.13, 26.2.6, and 26.3.0. References GHSA-xhpr-465j-7p9q https://nvd.nist.gov/vuln/detail/CVE-2025-7365 keycloak/keycloak#40446 keycloak/keycloak#40520 https://access.redhat.com/errata/RHSA-2025:11986 https://access.redhat.com/errata/RHSA-2025:11987 https://access.redhat.com/errata/RHSA-2025:12015 https://access.redhat.com/errata/RHSA-2025:12016 https://access.redhat.com/security/cve/CVE-2025-7365 https://bugzilla.redhat.com/show_bug.cgi?id=2378852 https://github.com/keycloak/keycloak/releases/tag/26.0.13 https://github.com/keycloak/keycloak/releases/tag/26.2.6 https://github.com/keycloak/keycloak/releases/tag/26.3.0 Severity Moderate 5.4/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required Low User interaction Required Scope Unchanged Confidentiality High Integrity Low Availability None CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N EPSS score 0.018 (3rd percentile) Weaknesses Weakness CWE-346 CVE ID CVE-2025-7365 GHSA ID GHSA-xhpr-465j-7p9q Source code keycloak/keycloak _____________________________________________________________________ Privilege Escalation in Keycloak Admin Console (FGAPv2 Enabled) Moderate rmartinc published GHSA-27gp-8389-hm4w Jul 29, 2025 Package org.keycloak:keycloak-services (Maven) Affected versions >26.2.0, <26.2.6 Patched versions 26.2.6, 26.3.0 Description A Privilege Escalation vulnerability was identified in the Keycloak identity and access management solution, specifically when FGAPv2 is enabled in version 26.2.x. The flaw lies in the admin permission enforcement logic, where a user with manage-users privileges can self-assign realm-admin rights. The escalation occurs due to missing privilege boundary checks in role mapping operations via the admin REST interface. A malicious administrator with limited permissions can exploit this by editing their own user roles, gaining unauthorized full access to realm configuration and user data. Severity Moderate CVE ID CVE-2025-7784 Weaknesses Weakness CWE-269 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================