CVE-2025-14559

Summary

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat build of Keycloak 26.426.4.9-1 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-11 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-10 < *unaffected

Weaknesses

  • CWE-840: CWE-840

Workarounds

To mitigate this issue, disable the Token Exchange preview feature within your Keycloak deployment if it is not actively required. This can typically be achieved through Keycloak's administrative console or by adjusting relevant configuration settings. If the Token Exchange feature must remain enabled, ensure that only strictly necessary and highly trusted clients are granted the 'impersonation' permission. Any changes to Keycloak configuration may require a service restart or reload to take effect, which could temporarily impact service availability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References