Vulnerability DatabaseCVE-2025-14559
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-14559
January 21, 2026
A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.
Affected Packages
org.keycloak:keycloak-services (JAVA):
Affected version(s) >=26.5.0 <26.5.2
Fix Suggestion:
Update to version 26.5.2
Related Resources (10)
https://access.redhat.com/security/cve/CVE-2025-14559
https://bugzilla.redhat.com/show_bug.cgi?id=2421711
https://github.com/keycloak/keycloak/releases/tag/26.5.2
https://access.redhat.com/errata/RHSA-2026:2366
https://nvd.nist.gov/vuln/detail/CVE-2025-14559
https://access.redhat.com/errata/RHSA-2026:2365
https://github.com/keycloak/keycloak/commit/2d0aa31c4830ebaad094c3762e78b884c141e659
https://github.com/keycloak/keycloak/issues/45651
https://github.com/keycloak/keycloak
https://github.com/keycloak/keycloak/commit/d67349f3aa9fed5c61750619d0f9de6356aeaeff
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.5
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Incorrect Authorization
CWE-863
EPSS
Base Score:
0.04