Origin Validation Error Affecting org.keycloak:keycloak-services package, versions [,26.3.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGKEYCLOAK-10691909
- published11 Jul 2025
- disclosed10 Jul 2025
- creditBlake Burkhart
Introduced: 10 Jul 2025
NewCVE-2025-7365 (opens in a new tab)How to fix?
Upgrade org.keycloak:keycloak-services to version 26.3.0 or higher.
Overview
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.
Affected versions of this package are vulnerable to Origin Validation Error via the review profile process. An attacker can gain unauthorized access to another user's account by initiating an account merge during an identity provider login and modifying their email address to match the victim's, which results in a verification email being sent to the victim. If the victim clicks the verification link, the attacker is able to access the victim's account.
Note:
This is only exploitable if IdP is configured in Keycloak and the attacker has access both to a registered Keycloak and identity provider account. Additionally, an attacker would need to know the email or Keycloak username of the victim. Finally, the victim would need to accept the verification link within the 5 minutes that the token is active.