CVE-2025-14559
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Summary
A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4.9-1 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-11 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-10 < * | unaffected |
Weaknesses
- CWE-840: CWE-840
Workarounds
To mitigate this issue, disable the Token Exchange preview feature within your Keycloak deployment if it is not actively required. This can typically be achieved through Keycloak's administrative console or by adjusting relevant configuration settings. If the Token Exchange feature must remain enabled, ensure that only strictly necessary and highly trusted clients are granted the 'impersonation' permission. Any changes to Keycloak configuration may require a service restart or reload to take effect, which could temporarily impact service availability.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/errata/RHSA-2026:2365
- https://access.redhat.com/errata/RHSA-2026:2366
- https://access.redhat.com/security/cve/CVE-2025-14559
- https://bugzilla.redhat.com/show_bug.cgi?id=2421711
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.