CVE-2025-7365: 
Java vulnerability analysis and mitigation

A flaw was found in Keycloak (CVE-2025-7365) discovered on June 20, 2025. The vulnerability affects the account merging process during Identity Provider (IdP) login. When an authenticated attacker attempts to merge accounts with another existing account, they can modify their email address to match a victim's account during the 'review profile' step, triggering a verification email to the victim. The verification email does not contain the attacker's email address, creating a potential phishing opportunity (Red Hat XML).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N. The flaw is classified as CWE-346 (Origin Validation Error). To exploit this vulnerability, IdP must be configured in Keycloak, and the attacker would require both a registered Keycloak and identity provider account. Additionally, the attacker needs to know the email or Keycloak username of the victim, and the victim must accept the verification link within the 5-minute token validity period (Red Hat XML).

If successfully exploited, this vulnerability could lead to account takeover if the victim clicks the verification link. The attacker could gain unauthorized access to the victim's account and its associated resources. The CVSS scoring indicates high confidentiality impact and low integrity impact, with no availability impact (NVD).

Two workarounds have been identified: 1) Disable account review in the Identity Provider to prevent users from potentially modifying identity information, or 2) Disable the email verification step and use only re-authentication step (Red Hat XML).