IDPTrust
IDPTrust Blog
blog.idptrust.com

Keycloak Security Advisory: Phishing via Email Verification in First Login Flow

· Security · IDPTrust

Summary
Keycloak has published a new security advisory: Phishing attack via email verification step in first login flow.
Official source: GHSA-xhpr-465j-7p9q.

Severity: Moderate
Affected package: org.keycloak:keycloak-services (Maven)
Affected versions: <26.0.13, <26.2.6
Patched versions: 26.2.13, 26.2.6, 26.3.0

What’s the issue?

There is a flaw in the first login flow during an IdP login. An attacker who already has a registered account can initiate account linking with a victim’s existing account. During the subsequent “review profile” step, the attacker can change their email address to the victim’s email, triggering a verification email sent to the victim. If the victim clicks the verification link, the attacker may gain access to the victim’s account.

While this is not a zero‑interaction attack (the victim must click the verification link), the attacker’s email is not surfaced in the verification email, making this scenario a phishing opportunity.

Impact

  • Potential account takeover if the victim clicks the verification link sent during the attacker‑initiated flow.
  • Affects deployments running vulnerable versions listed above.

Our status (IDPTrust)

  • All managed customers have been notified.
  • Patch windows are scheduled across all environments (development, staging, production) to move to the patched versions listed by the advisory.
  • We are auditing account linking and email verification flows and strengthening monitoring around Admin Events and login flows.

Recommended actions

  1. Upgrade to a patched version as soon as possible (26.2.13, 26.2.6, or 26.3.0, per the advisory).
  2. Until you upgrade:
    • Consider disabling or restricting account linking where feasible.
    • Educate users to be cautious with unexpected email verification requests.
    • Review IdP first‑login configuration and ensure additional safeguards (e.g., manual review) where appropriate.
  3. Audit recent login/account‑linking events for suspicious activity.

How to check your deployment

  • Confirm your Keycloak version (Admin Console → Server Info, or your image tag).
  • Review your First Login Flow steps for IdP logins, especially “review profile” and email verification behavior.
  • Inspect logs and Admin Events around account linking attempts.

Timeline

  • Advisory published: Jul 29, 2025 (by rmartinc).
  • IDPTrust notification & patch scheduling: 2025-07-29.

References