CVE-ID: CVE-2025-1391 - Keycloak Organization Domain Pattern Assignment Vulnerability (Authentication Bypass)
Article ID: 390884
Updated On:
Products
Issue/Introduction
CVE-ID: CVE-2025-1391 - Keycloak Organization Domain Pattern Assignment Vulnerability (Authentication Bypass)
CVSS Score: 5.5
Product: Red Hat [Keycloak (Unspecified)]
Vulnerability Finding Name: A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization???s domain pattern
Communication Date: 2/19/2025
Target Remediation Date: 6/4/2025
VMT Severity Rating: Medium 75 Internal
Discussion: A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization???s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.
Red Hat Keycloak Organization Mapper Improper Email / Username Mapping Unauthorized Remote Access. Red Hat Keycloak contains a flaw in the organization mapper that is triggered as an organization is incorrectly assigned to a user if the username or email matches the organization's domain pattern. This may allow an authenticated remote attacker to gain unauthorized access or privileges to an organization they are not a member of.
Environment
All supported releases of DevTest
Resolution
CVE-2025-1391 - Does Not Apply to the Service Virtualization product.
The reason is that this is only vulnerable if using the Keycloak Organization feature, which is not in use in the Service Virtualization product.
Feedback
