CVE-2025-14559

MEDIUM EPSS 35.4%

Published Jan 21, 20265mo ago · Modified Jun 17, 20261w ago

6.5 CVSS 3.1

Medium

Published Jan 21, 2026 5mo ago

Last Modified Jun 17, 2026 1w ago

Description

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.

CVSS Details

Base Score

6.5

Exploitability

1.2

Impact

5.2

Vector string

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability None

Threat Intelligence

EPSS Exploit Probability

35.4% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-840

References 4

access.redhat.com https://access.redhat.com/errata/RHSA-2026:2365
access.redhat.com https://access.redhat.com/errata/RHSA-2026:2366
access.redhat.com https://access.redhat.com/security/cve/CVE-2025-14559
bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2421711

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.