PT-2025-43517 · Red Hat · Keycloak
Published
2025-10-23
·
Updated
2025-12-19
·
CVE-2025-12110
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Keycloak (affected versions not specified)
Description
A flaw exists in Keycloak where an offline session remains valid even after the
offline access scope is removed from the client. The refresh token continues to be accepted, allowing for the request of new tokens for the session. This can lead to a situation where an administrator removes the scope, incorrectly assuming that offline sessions are no longer available, while they remain active. The issue involves the continued acceptance of refresh tokens after the offline access scope has been revoked.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Keycloak