{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14559", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-12-12T05:37:44.269Z", "datePublished": "2026-01-21T06:13:31.263Z", "dateUpdated": "2026-01-21T14:29:18.923Z"}, "containers": {"cna": {"title": "Org.keycloak/keycloak-services: keycloak keycloak-services: business logic flaw allows unauthorized token issuance for disabled users", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak-services", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-14559", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2421711", "name": "RHBZ#2421711", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-01-21T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-840", "description": "CWE-840", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-840", "workarounds": [{"lang": "en", "value": "To mitigate this issue, disable the Token Exchange preview feature within your Keycloak deployment if it is not actively required. This can typically be achieved through Keycloak's administrative console or by adjusting relevant configuration settings. If the Token Exchange feature must remain enabled, ensure that only strictly necessary and highly trusted clients are granted the 'impersonation' permission. Any changes to Keycloak configuration may require a service restart or reload to take effect, which could temporarily impact service availability."}], "timeline": [{"lang": "en", "time": "2025-12-12T05:25:55.520000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-01-21T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Aytac Kalinci for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-01-21T06:13:31.263Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-21T14:29:08.373102Z", "id": "CVE-2025-14559", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T14:29:18.923Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14559", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-21T14:29:08.373102Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T14:29:13.627Z"}}], "cna": {"title": "Org.keycloak/keycloak-services: keycloak keycloak-services: business logic flaw allows unauthorized token issuance for disabled users", "credits": [{"lang": "en", "value": "Red Hat would like to thank Aytac Kalinci for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:build_keycloak:"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "keycloak-services", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-12-12T05:25:55.520000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-01-21T00:00:00+00:00", "value": "Made public."}], "datePublic": "2026-01-21T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-14559", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2421711", "name": "RHBZ#2421711", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "To mitigate this issue, disable the Token Exchange preview feature within your Keycloak deployment if it is not actively required. This can typically be achieved through Keycloak's administrative console or by adjusting relevant configuration settings. If the Token Exchange feature must remain enabled, ensure that only strictly necessary and highly trusted clients are granted the 'impersonation' permission. Any changes to Keycloak configuration may require a service restart or reload to take effect, which could temporarily impact service availability."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-840", "description": "CWE-840"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-01-21T06:13:31.263Z"}, "x_redhatCweChain": "CWE-840"}}, "cveMetadata": {"cveId": "CVE-2025-14559", "state": "PUBLISHED", "dateUpdated": "2026-01-21T14:29:18.923Z", "dateReserved": "2025-12-12T05:37:44.269Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-01-21T06:13:31.263Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow."}], "id": "CVE-2025-14559", "lastModified": "2026-01-21T07:16:00.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-01-21T07:16:00.623", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-14559"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2421711"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-840"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Aytac Kalinci for reporting this issue.", "bugzilla": {"description": "org.keycloak/keycloak-services: Keycloak keycloak-services: Business logic flaw allows unauthorized token issuance for disabled users", "id": "2421711", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2421711"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-840", "details": ["A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, disable the Token Exchange preview feature within your Keycloak deployment if it is not actively required. This can typically be achieved through Keycloak's administrative console or by adjusting relevant configuration settings. If the Token Exchange feature must remain enabled, ensure that only strictly necessary and highly trusted clients are granted the 'impersonation' permission. Any changes to Keycloak configuration may require a service restart or reload to take effect, which could temporarily impact service availability."}, "name": "CVE-2025-14559", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "keycloak-services", "product_name": "Red Hat Build of Keycloak"}], "public_date": "2026-01-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-14559\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-14559"], "statement": "This vulnerability is rated Moderate for Red Hat. A business logic flaw in the Token Exchange implementation of Keycloak allows a privileged client with impersonation permission to issue access and refresh tokens for disabled users. This can lead to unauthorized access by former employees or banned users, despite their accounts being deactivated. Exploitation requires an internal high-privileged client and does not involve user interaction or direct authentication by the disabled user.", "threat_severity": "Moderate"}