{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-14559","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2025-12-12T05:37:44.269Z","datePublished":"2026-01-21T06:13:31.263Z","dateUpdated":"2026-02-10T01:04:33.642Z"},"containers":{"cna":{"title":"Org.keycloak/keycloak-services: keycloak keycloak-services: business logic flaw allows unauthorized token issuance for disabled users","metrics":[{"other":{"content":{"value":"Moderate","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow."}],"affected":[{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-operator-bundle","defaultStatus":"affected","versions":[{"version":"26.4.9-1","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-rhel9","defaultStatus":"affected","versions":[{"version":"26.4-11","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"rhbk/keycloak-rhel9-operator","defaultStatus":"affected","versions":[{"version":"26.4-10","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]},{"vendor":"Red Hat","product":"Red Hat build of Keycloak 26.4.9","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","defaultStatus":"unaffected","packageName":"keycloak-services","cpes":["cpe:/a:redhat:build_keycloak:26.4::el9"]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:2365","name":"RHSA-2026:2365","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:2366","name":"RHSA-2026:2366","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/security/cve/CVE-2025-14559","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2421711","name":"RHBZ#2421711","tags":["issue-tracking","x_refsource_REDHAT"]}],"datePublic":"2026-01-21T00:00:00.000Z","problemTypes":[{"descriptions":[{"cweId":"CWE-840","description":"CWE-840","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-840","workarounds":[{"lang":"en","value":"To mitigate this issue, disable the Token Exchange preview feature within your Keycloak deployment if it is not actively required. This can typically be achieved through Keycloak's administrative console or by adjusting relevant configuration settings. If the Token Exchange feature must remain enabled, ensure that only strictly necessary and highly trusted clients are granted the 'impersonation' permission. Any changes to Keycloak configuration may require a service restart or reload to take effect, which could temporarily impact service availability."}],"timeline":[{"lang":"en","time":"2025-12-12T05:25:55.520Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-01-21T00:00:00.000Z","value":"Made public."}],"credits":[{"lang":"en","value":"Red Hat would like to thank Aytac Kalinci for reporting this issue."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2026-02-10T01:04:33.642Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-21T14:29:08.373102Z","id":"CVE-2025-14559","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-21T14:29:18.923Z"}}]}}