CVE-2025-12110

MEDIUM

Org.keycloak Keycloak-services - Insufficient Session Expiration

Title source: rule

Description

A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.

References (7)

[Issue Tracking] https://github.com/keycloak/keycloak/pull/43790

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:21370

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:21371

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:22088

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:22089

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2025-12110

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2406033

Scores

CVSS v3 5.4

EPSS 0.0006

EPSS Percentile 17.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-613

Status published

Products (8)

Keycloak/keycloak < 26.4.3

org.keycloak/keycloak-services 0 - 26.2.3Maven

Red Hat/Red Hat build of Keycloak 26.2 26.2-12

Red Hat/Red Hat build of Keycloak 26.2 26.2.11-1

Red Hat/Red Hat build of Keycloak 26.2.11

Red Hat/Red Hat build of Keycloak 26.4 26.4-3

Red Hat/Red Hat build of Keycloak 26.4 26.4.4-1

Red Hat/Red Hat build of Keycloak 26.4.4

Published Oct 23, 2025

Tracked Since Feb 18, 2026