CVE-2025-12110

MEDIUM 5.4

Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.

CWE	CWE-613
Vendor	keycloak
Product	keycloak
Published	Oct 23, 2025
Last Updated	Jan 20, 2026

Stay Ahead of the Next One

Get instant alerts for keycloak keycloak

Be the first to know when new medium vulnerabilities affecting keycloak keycloak are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Keycloak / keycloak

0 < 26.4.3

Red Hat / Red Hat build of Keycloak 26.2

All versions affected

Red Hat / Red Hat build of Keycloak 26.2

All versions affected

Red Hat / Red Hat build of Keycloak 26.2

All versions affected

Red Hat / Red Hat build of Keycloak 26.2.11

All versions affected

Red Hat / Red Hat build of Keycloak 26.4

All versions affected

Red Hat / Red Hat build of Keycloak 26.4

All versions affected

Red Hat / Red Hat build of Keycloak 26.4

All versions affected

Red Hat / Red Hat build of Keycloak 26.4.4

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21370 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21371 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:22088 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:22089 access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-12110 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2406033 github.com: https://github.com/keycloak/keycloak/pull/43790