Incorrect User Management Affecting org.keycloak:keycloak-services package, versions [,26.1.3)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (19th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGKEYCLOAK-8731591
  • published18 Feb 2025
  • disclosed17 Feb 2025
  • creditUnknown

Introduced: 17 Feb 2025

CVE-2025-1391  (opens in a new tab)
CWE-286  (opens in a new tab)

How to fix?

Upgrade org.keycloak:keycloak-services to version 26.1.3 or higher.

Overview

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect User Management in oidc/OrganizationMembershipMapper.java, which relies on matching the domain of a user's email address to map them to an organization. A user can make an unauthorized token claim including association with an organization that they are not actually mapped to. If self-registration is enabled and unrestricted, this is easier to exploit.

CVSS Base Scores

version 4.0
version 3.1