CVE-2025-1391: Keycloak-services: improper authorization in keycloak organization mapper allows unauthorized organization claims

Description

A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.

Classification

CVE ID: CVE-2025-1391

Affected Products

Vendor: Red Hat

Product: Red Hat Build of Keycloak

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 0.18372 (how common is this exploit)

EPSS Date: 2025-03-12 (when was this score calculated)

Timeline

2025-02-18 00:30:16 UTC
CVE

Keycloak-services: improper authorization in keycloak organization mapper allows unauthorized organization claims
2025-02-20 21:15:16 UTC
Github Advisory Database (Maven)

[org.keycloak:keycloak-services] Keycloak allows Incorrect Assignment of an Organization to a User
2025-03-10 22:15:19 UTC
Github Advisory Database (Maven)

[org.keycloak:keycloak-services] Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims