Duplicate Advisory: Keycloak allows Incorrect Assignment of an Organization to a User

GHSA-rq4w-cjrr-h8w8

Published Feb 17, 2025 · Modified Mar 10, 2025

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-gvgg-2r3r-53x7. This link is maintained to preserve external references.

Original Description

A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-1391
WEB https://github.com/keycloak/keycloak/commit/5aa2b4c75bb474303ab807017582bc01a9f7e378
WEB https://access.redhat.com/errata/RHSA-2025:2544
WEB https://access.redhat.com/errata/RHSA-2025:2545
WEB https://access.redhat.com/security/cve/CVE-2025-1391
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2346082
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes