{
  "threat_severity" : "Moderate",
  "public_date" : "2026-01-21T00:00:00Z",
  "bugzilla" : {
    "description" : "org.keycloak/keycloak-services: Keycloak keycloak-services: Business logic flaw allows unauthorized token issuance for disabled users",
    "id" : "2421711",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2421711"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-840",
  "details" : [ "A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.", "A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow." ],
  "statement" : "This vulnerability is rated Moderate for Red Hat. A business logic flaw in the Token Exchange implementation of Keycloak allows a privileged client with impersonation permission to issue access and refresh tokens for disabled users. This can lead to unauthorized access by former employees or banned users, despite their accounts being deactivated. Exploitation requires an internal high-privileged client and does not involve user interaction or direct authentication by the disabled user.",
  "acknowledgement" : "Red Hat would like to thank Aytac Kalinci for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-02-09T00:00:00Z",
    "advisory" : "RHSA-2026:2366",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-operator-bundle:26.4.9-1"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-02-09T00:00:00Z",
    "advisory" : "RHSA-2026:2366",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-rhel9:26.4-11"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-02-09T00:00:00Z",
    "advisory" : "RHSA-2026:2366",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-rhel9-operator:26.4-10"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4.9",
    "release_date" : "2026-02-09T00:00:00Z",
    "advisory" : "RHSA-2026:2365",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "keycloak-services"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-14559\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-14559" ],
  "name" : "CVE-2025-14559",
  "mitigation" : {
    "value" : "To mitigate this issue, disable the Token Exchange preview feature within your Keycloak deployment if it is not actively required. This can typically be achieved through Keycloak's administrative console or by adjusting relevant configuration settings. If the Token Exchange feature must remain enabled, ensure that only strictly necessary and highly trusted clients are granted the 'impersonation' permission. Any changes to Keycloak configuration may require a service restart or reload to take effect, which could temporarily impact service availability.",
    "lang" : "en:us"
  },
  "csaw" : false
}