Home > Vulnerability Database > CVE-2025-1391

Mend.io Vulnerability Database

CVE-2025-1391

Good to know:

Date: February 17, 2025

A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.

Severity Score

5.4

Related Resources (9)

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2346082

Url: https://github.com/keycloak/keycloak/commit/5aa2b4c75bb474303ab807017582bc01a9f7e378

Url: https://github.com/keycloak/keycloak/security/advisories/GHSA-gvgg-2r3r-53x7

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-1391

Url: https://access.redhat.com/security/cve/CVE-2025-1391

Url: https://access.redhat.com/errata/RHSA-2025:2544

Url: https://access.redhat.com/errata/RHSA-2025:2545

Url: https://github.com/keycloak/keycloak

Url: https://www.mend.io/vulnerability-database/CVE-2025-1391

Severity Score

5.4

Weakness Type (CWE)

Improper Access Control

CWE-284

Top Fix

Upgrade Version

Upgrade to version org.keycloak:keycloak-services:26.1.3

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-1391

Good to know:

Date: February 17, 2025

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?