Keycloak Account Merge Vulnerability Leading to Phishing Opportunity

A vulnerability exists in Keycloak's account merging process during identity provider (IdP) login. An authenticated attacker can merge their account with that of a victim, subsequently being prompted to 'review profile' information. This allows the attacker to change their email address to match the victim's, triggering a verification email to the victim. Since the verification email does not include the attacker's email, it creates a phishing opportunity. If the victim clicks the verification link, the attacker gains access to their account.

Impact

Exploitation of this vulnerability allows an attacker to gain unauthorized access to a victim's account.

Reproduction

To reproduce this vulnerability, an authenticated attacker must initiate the account merging process with a victim's account during an IdP login. After merging, the attacker can modify their email address to match that of the victim, which will send a verification email to the victim's inbox. If the victim clicks the verification link, the attacker will be granted access to the victim's account.