Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims

GHSA-gvgg-2r3r-53x7 · CVE-2025-1391

Published Mar 10, 2025 · Modified Mar 10, 2025

Description

This vulnerability is caused by the improper mapping of users to organizations based solely on email/username patterns. The issue is limited to the token claim level, meaning the user is not truly added to the organization but may appear as such in applications relying on these claims. The risk increases in scenarios where self-registration is enabled and unrestricted, allowing an attacker to exploit the naming pattern. The issue is mitigated if admins restrict registration or use strict validation mechanisms.

References

WEB https://github.com/keycloak/keycloak/security/advisories/GHSA-gvgg-2r3r-53x7
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-1391
WEB https://github.com/keycloak/keycloak/commit/5aa2b4c75bb474303ab807017582bc01a9f7e378
WEB https://access.redhat.com/errata/RHSA-2025:2545
WEB https://access.redhat.com/security/cve/CVE-2025-1391
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2346082
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes