CVE-2025-12110
MEDIUMKeycloak < 26.4.3 - Insufficient Session Expiration via Offline Access Scope Removal
Title source: llmDescription
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.
References (7)
Core 7
Core References
Issue Tracking
https://github.com/keycloak/keycloak/pull/43790
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:21370
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:21371
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:22088
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:22089
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2025-12110
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2406033
Scores
CVSS v3
5.4
EPSS
0.0025
EPSS Percentile
15.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-613
Status
published
Products (8)
Keycloak/keycloak
< 26.4.3
org.keycloak/keycloak-services
0 - 26.2.3Maven
Red Hat/Red Hat build of Keycloak 26.2
26.2-12
Red Hat/Red Hat build of Keycloak 26.2
26.2.11-1
Red Hat/Red Hat build of Keycloak 26.2.11
Red Hat/Red Hat build of Keycloak 26.4
26.4-3
Red Hat/Red Hat build of Keycloak 26.4
26.4.4-1
Red Hat/Red Hat build of Keycloak 26.4.4
Published
Oct 23, 2025
Tracked Since
Feb 18, 2026