Medium severity6.5NVD Advisory· Published Jan 21, 2026· Updated Apr 15, 2026
CVE-2025-14559
CVE-2025-14559
Description
A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | >= 26.5.0, < 26.5.2 | 26.5.2 |
org.keycloak:keycloak-servicesMaven | < 26.4.9 | 26.4.9 |
Affected products
7- osv-coords7 versionspkg:apk/chainguard/keycloak-26.5pkg:apk/chainguard/keycloak-26.5-iamguarded-compatpkg:apk/chainguard/keycloak-fips-26.5pkg:apk/chainguard/keycloak-fips-26.5-iamguarded-fipspkg:apk/wolfi/keycloak-26.5pkg:apk/wolfi/keycloak-26.5-iamguarded-compatpkg:maven/org.keycloak/keycloak-services
< 26.5.2-r0+ 6 more
- (no CPE)range: < 26.5.2-r0
- (no CPE)range: < 26.5.2-r0
- (no CPE)range: < 26.5.2-r0
- (no CPE)range: < 26.5.2-r0
- (no CPE)range: < 26.5.2-r0
- (no CPE)range: < 26.5.2-r0
- (no CPE)range: >= 26.5.0, < 26.5.2
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-wv3h-x6c4-r867ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-14559ghsaADVISORY
- access.redhat.com/errata/RHSA-2026:2365nvdWEB
- access.redhat.com/errata/RHSA-2026:2366nvdWEB
- access.redhat.com/security/cve/CVE-2025-14559nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/keycloak/keycloak/commit/2d0aa31c4830ebaad094c3762e78b884c141e659ghsaWEB
- github.com/keycloak/keycloak/commit/d67349f3aa9fed5c61750619d0f9de6356aeaeffghsaWEB
- github.com/keycloak/keycloak/issues/45651ghsaWEB
- github.com/keycloak/keycloak/releases/tag/26.5.2ghsaWEB
News mentions
0No linked articles in our index yet.