Keycloak Cross-Session Email Verification Vulnerability Allows Account Linking

A vulnerability in Keycloak's email verification process can lead to unauthorized linking of accounts. The issue arises because the verification proof is only tied to the local user ID and identity provider alias, without referencing the verified upstream identity. This flaw allows a second account on the same identity provider to misuse the verification proof and link to the victim's local account. The vulnerability is present in all versions of the Red Hat Build of Keycloak.

Impact

Exploitation of this vulnerability allows an attacker to gain persistent access to a victim's local account by linking their own upstream identity provider account, which shares an email address with the victim, to the victim's account.

Remediation

To address this vulnerability, configure the affected identity provider to trust email verification by setting 'trustEmail=true'. This change should be applied only if the identity provider is fully trusted to verify email addresses accurately. After making this adjustment, a restart or reload of the Keycloak service may be necessary for the changes to take effect.