CVE-2025-14559
Business Logic Flaw in Keycloak Token Exchange Enables Unauthorized Access
Publication date: 2026-01-21
Last updated on: 2026-02-10
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | keycloak | to *-* (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-840 | Business Logic Errors |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a business logic flaw in Keycloak's token exchange process. When a privileged internal client requests token exchange, Keycloak fails to check if the target user account is disabled. As a result, access and refresh tokens can be issued for disabled users, allowing an attacker with impersonation permissions to generate tokens for deactivated accounts ("zombie accounts"), such as former employees or banned users, effectively resurrecting their access without their involvement. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access by allowing privileged clients to obtain valid tokens for disabled users. This means that revoked privileges can be reused without any user interaction or authentication, potentially enabling former employees or banned users to access systems and data they should no longer have access to, increasing the risk of data breaches or unauthorized actions. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or auditing privileged internal clients that invoke the token exchange flow, especially those with impersonation permissions, to prevent issuance of tokens for disabled users. Additionally, update Keycloak to a version where this business logic flaw is fixed to ensure that token exchange properly verifies whether the target user is enabled before issuing tokens. [1]