Vulnerability Description
A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2025:2544
- https://access.redhat.com/errata/RHSA-2025:2545
- https://access.redhat.com/security/cve/CVE-2025-1391
- https://bugzilla.redhat.com/show_bug.cgi?id=2346082
- https://github.com/keycloak/keycloak/issues/37169
- https://github.com/keycloak/keycloak/pull/37235
FAQ
What is CVE-2025-1391?
CVE-2025-1391 is a vulnerability with a CVSS score of 5.4 (MEDIUM). A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This iss...
How severe is CVE-2025-1391?
CVE-2025-1391 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-1391?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.