CVE-2025-12390

Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id

CVSS 6 MEDIUMEPSS 0.1%CWE-384

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

28 Oct 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Affected products

Keycloak · keycloak Red Hat · Red Hat build of Keycloak 26.2 Red Hat · Red Hat build of Keycloak 26.2.11 Red Hat · Red Hat build of Keycloak 26.4 Red Hat · Red Hat build of Keycloak 26.4.4

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://access.redhat.com/errata/RHSA-2025:21370 https://access.redhat.com/errata/RHSA-2025:21371 https://access.redhat.com/errata/RHSA-2025:22088 https://access.redhat.com/errata/RHSA-2025:22089 https://access.redhat.com/security/cve/CVE-2025-12390 https://bugzilla.redhat.com/show_bug.cgi?id=2406793 https://github.com/keycloak/keycloak/issues/43853