CVE-2025-14559
Unknown Unknown - Not Provided
Business Logic Flaw in Keycloak Token Exchange Enables Unauthorized Access

Publication date: 2026-01-21

Last updated on: 2026-02-10

Assigner: Red Hat, Inc.

Description
A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14559
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat keycloak to *-* (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-840 Business Logic Errors
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a business logic flaw in Keycloak's token exchange process. When a privileged internal client requests token exchange, Keycloak fails to check if the target user account is disabled. As a result, access and refresh tokens can be issued for disabled users, allowing an attacker with impersonation permissions to generate tokens for deactivated accounts ("zombie accounts"), such as former employees or banned users, effectively resurrecting their access without their involvement. [1]

Impact Analysis

The vulnerability can lead to unauthorized access by allowing privileged clients to obtain valid tokens for disabled users. This means that revoked privileges can be reused without any user interaction or authentication, potentially enabling former employees or banned users to access systems and data they should no longer have access to, increasing the risk of data breaches or unauthorized actions. [1]

Mitigation Strategies

Immediate mitigation steps include restricting or auditing privileged internal clients that invoke the token exchange flow, especially those with impersonation permissions, to prevent issuance of tokens for disabled users. Additionally, update Keycloak to a version where this business logic flaw is fixed to ensure that token exchange properly verifies whether the target user is enabled before issuing tokens. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14559. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart