VYPR
Medium severity6.5NVD Advisory· Published Jan 21, 2026· Updated Apr 15, 2026

CVE-2025-14559

CVE-2025-14559

Description

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-servicesMaven
>= 26.5.0, < 26.5.226.5.2
org.keycloak:keycloak-servicesMaven
< 26.4.926.4.9

Affected products

7

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.