VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-jgqy-unwr-myh7

Essentials
Severities (64)
References (19)
Severity details (37)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-jgqy-unwr-myh7
Aliases	CVE-2025-7365 GHSA-xhpr-465j-7p9q
Summary	Keycloak phishing attack via email verification step in first login flow There is a flaw with the first login flow where, during a IdP login, an attacker with a registered account can initiate the process to merge accounts with an existing victim's account. The attacker will subsequently be prompted to "review profile" information, which allows the the attacker to modify their email address to that of a victim's account. This triggers a verification email sent to the victim's email address. If the victim clicks the verification link, the attacker can gain access to the victim's account. While not a zero-interaction attack, the attacker's email address is not directly present in the verification email content, making it a potential phishing opportunity. This issue has been fixed in versions 26.0.13, 26.2.6, and 26.3.0.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-346	Origin Validation Error
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	5.4	https://access.redhat.com/errata/RHSA-2025:11986
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2025:11986
ssvc	Track	https://access.redhat.com/errata/RHSA-2025:11986
cvssv3.1	5.4	https://access.redhat.com/errata/RHSA-2025:11987
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2025:11987
ssvc	Track	https://access.redhat.com/errata/RHSA-2025:11987
cvssv3.1	5.4	https://access.redhat.com/errata/RHSA-2025:12015
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2025:12015
ssvc	Track	https://access.redhat.com/errata/RHSA-2025:12015
cvssv3.1	5.4	https://access.redhat.com/errata/RHSA-2025:12016
generic_textual	MODERATE	https://access.redhat.com/errata/RHSA-2025:12016
ssvc	Track	https://access.redhat.com/errata/RHSA-2025:12016
cvssv3	5.4	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-7365.json
cvssv3.1	5.4	https://access.redhat.com/security/cve/CVE-2025-7365
generic_textual	MODERATE	https://access.redhat.com/security/cve/CVE-2025-7365
ssvc	Track	https://access.redhat.com/security/cve/CVE-2025-7365
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	7e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	7e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	7e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	7e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	7e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-7365
cvssv3.1	5.4	https://bugzilla.redhat.com/show_bug.cgi?id=2378852
generic_textual	MODERATE	https://bugzilla.redhat.com/show_bug.cgi?id=2378852
ssvc	Track	https://bugzilla.redhat.com/show_bug.cgi?id=2378852
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-xhpr-465j-7p9q
cvssv3.1	5.4	https://github.com/keycloak/keycloak
generic_textual	MODERATE	https://github.com/keycloak/keycloak
cvssv3.1	5.4	https://github.com/keycloak/keycloak/issues/40446
generic_textual	MODERATE	https://github.com/keycloak/keycloak/issues/40446
cvssv3.1	5.4	https://github.com/keycloak/keycloak/pull/40520
generic_textual	MODERATE	https://github.com/keycloak/keycloak/pull/40520
cvssv3.1	5.4	https://github.com/keycloak/keycloak/releases/tag/26.0.13
generic_textual	MODERATE	https://github.com/keycloak/keycloak/releases/tag/26.0.13
cvssv3.1	5.4	https://github.com/keycloak/keycloak/releases/tag/26.2.6
generic_textual	MODERATE	https://github.com/keycloak/keycloak/releases/tag/26.2.6
cvssv3.1	5.4	https://github.com/keycloak/keycloak/releases/tag/26.3.0
generic_textual	MODERATE	https://github.com/keycloak/keycloak/releases/tag/26.3.0
cvssv3.1	5.4	https://github.com/keycloak/keycloak/security/advisories/GHSA-xhpr-465j-7p9q
cvssv3.1_qr	MODERATE	https://github.com/keycloak/keycloak/security/advisories/GHSA-xhpr-465j-7p9q
generic_textual	MODERATE	https://github.com/keycloak/keycloak/security/advisories/GHSA-xhpr-465j-7p9q
cvssv3.1	5.4	https://nvd.nist.gov/vuln/detail/CVE-2025-7365
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2025-7365

Reference id	Reference type	URL
		https://access.redhat.com/errata/RHSA-2025:11986
		https://access.redhat.com/errata/RHSA-2025:11987
		https://access.redhat.com/errata/RHSA-2025:12015
		https://access.redhat.com/errata/RHSA-2025:12016
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-7365.json
		https://access.redhat.com/security/cve/CVE-2025-7365
		https://api.first.org/data/v1/epss?cve=CVE-2025-7365
		https://bugzilla.redhat.com/show_bug.cgi?id=2378852
		https://github.com/keycloak/keycloak
		https://github.com/keycloak/keycloak/issues/40446
		https://github.com/keycloak/keycloak/pull/40520
		https://github.com/keycloak/keycloak/releases/tag/26.0.13
		https://github.com/keycloak/keycloak/releases/tag/26.2.6
		https://github.com/keycloak/keycloak/releases/tag/26.3.0
		https://github.com/keycloak/keycloak/security/advisories/GHSA-xhpr-465j-7p9q
		https://nvd.nist.gov/vuln/detail/CVE-2025-7365
cpe:/a:redhat:build_keycloak:26.0::el9		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0::el9
cpe:/a:redhat:build_keycloak:26.2::el9		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.2::el9
GHSA-xhpr-465j-7p9q		https://github.com/advisories/GHSA-xhpr-465j-7p9q

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:11986

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ Found at https://access.redhat.com/errata/RHSA-2025:11986

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:11987

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ Found at https://access.redhat.com/errata/RHSA-2025:11987

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:12015

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ Found at https://access.redhat.com/errata/RHSA-2025:12015

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:12016

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ Found at https://access.redhat.com/errata/RHSA-2025:12016

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-7365.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://access.redhat.com/security/cve/CVE-2025-7365

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ Found at https://access.redhat.com/security/cve/CVE-2025-7365

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=2378852

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ Found at https://bugzilla.redhat.com/show_bug.cgi?id=2378852

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/keycloak/keycloak

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/keycloak/keycloak/issues/40446

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/keycloak/keycloak/pull/40520

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/keycloak/keycloak/releases/tag/26.0.13

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/keycloak/keycloak/releases/tag/26.2.6

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/keycloak/keycloak/releases/tag/26.3.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/keycloak/keycloak/security/advisories/GHSA-xhpr-465j-7p9q

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-7365

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.02944
EPSS Score	0.00018
Published At	July 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:38:39.135444+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-xhpr-465j-7p9q/GHSA-xhpr-465j-7p9q.json	37.0.0