CVE-2025-1391
Keycloak-services: improper authorization in keycloak organization mapper allows unauthorized organization claims
CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th
A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.
| CWE | CWE-284 |
| Published | Feb 17, 2025 |
| Last Updated | Nov 20, 2025 |
Stay Ahead of the Next One
Get instant alerts for
Be the first to know when new medium vulnerabilities are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
Red Hat / Red Hat Build of Keycloak
All versions affected Red Hat / Red Hat build of Keycloak 26.0
All versions affected Red Hat / Red Hat build of Keycloak 26.0
All versions affected Red Hat / Red Hat build of Keycloak 26.0
All versions affected