Search for vulnerabilities
Vulnerability details: VCID-dk7y-hky5-kbey
Vulnerability ID VCID-dk7y-hky5-kbey
Aliases GHSA-rq4w-cjrr-h8w8
Summary Duplicate Advisory: Keycloak allows Incorrect Assignment of an Organization to a User # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gvgg-2r3r-53x7. This link is maintained to preserve external references. # Original Description A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-284 Improper Access Control
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 5.4 https://access.redhat.com/errata/RHSA-2025:2544
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2025:2544
cvssv3.1 5.4 https://access.redhat.com/errata/RHSA-2025:2545
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2025:2545
cvssv3.1 5.4 https://access.redhat.com/security/cve/CVE-2025-1391
generic_textual MODERATE https://access.redhat.com/security/cve/CVE-2025-1391
cvssv3.1 5.4 https://bugzilla.redhat.com/show_bug.cgi?id=2346082
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=2346082
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-rq4w-cjrr-h8w8
cvssv3.1 5.4 https://github.com/keycloak/keycloak
generic_textual MODERATE https://github.com/keycloak/keycloak
cvssv3.1 5.4 https://github.com/keycloak/keycloak/commit/5aa2b4c75bb474303ab807017582bc01a9f7e378
generic_textual MODERATE https://github.com/keycloak/keycloak/commit/5aa2b4c75bb474303ab807017582bc01a9f7e378
cvssv3.1 5.4 https://nvd.nist.gov/vuln/detail/CVE-2025-1391
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-1391
Reference id Reference type URL
https://github.com/keycloak/keycloak
https://github.com/keycloak/keycloak/commit/5aa2b4c75bb474303ab807017582bc01a9f7e378
CVE-2025-1391 https://access.redhat.com/security/cve/CVE-2025-1391
CVE-2025-1391 https://nvd.nist.gov/vuln/detail/CVE-2025-1391
GHSA-rq4w-cjrr-h8w8 https://github.com/advisories/GHSA-rq4w-cjrr-h8w8
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:2544
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:2545
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/security/cve/CVE-2025-1391
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=2346082
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak/commit/5aa2b4c75bb474303ab807017582bc01a9f7e378
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-1391
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2025-03-28T16:48:25.929512+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-services/GHSA-rq4w-cjrr-h8w8.yml 36.0.0