πŸ” CVE Alert

CVE-2025-12390

MEDIUM 6.0

Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id

CVSS Score
6.0
EPSS Score
0.0%
EPSS Percentile
0th

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.

CWE CWE-384
Vendor keycloak
Product keycloak
Published Oct 28, 2025
Last Updated Jan 6, 2026
Stay Ahead of the Next One

Get instant alerts for keycloak keycloak

Be the first to know when new medium vulnerabilities affecting keycloak keycloak are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

Keycloak / keycloak
0 < 26.0.0
Red Hat / Red Hat build of Keycloak 26.2
All versions affected
Red Hat / Red Hat build of Keycloak 26.2
All versions affected
Red Hat / Red Hat build of Keycloak 26.2
All versions affected
Red Hat / Red Hat build of Keycloak 26.2.11
All versions affected
Red Hat / Red Hat build of Keycloak 26.4
All versions affected
Red Hat / Red Hat build of Keycloak 26.4
All versions affected
Red Hat / Red Hat build of Keycloak 26.4
All versions affected
Red Hat / Red Hat build of Keycloak 26.4.4
All versions affected

References

NVD β†— CVE.org β†— EPSS Data β†—
access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21370 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:21371 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:22088 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:22089 access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-12390 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2406793 github.com: https://github.com/keycloak/keycloak/issues/43853

Credits

Red Hat would like to thank Simon Levermann (CTS EVENTIM Solutions GmbH) for reporting this issue.