CVE-2025-12110

EPSS 0.06%
Veröffentlicht 23.10.2025 14:19:24
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed

A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

CNA 9 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerKeycloak

≫

Produkt keycloak

Default Statusunaffected

Version 0

Version < 26.4.3

Status affected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2.11-1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2-12

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2

Default Statusaffected

Version 26.2-12

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.2.11

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4

Default Statusaffected

Version 26.4.4-1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4

Default Statusaffected

Version 26.4-3

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4

Default Statusaffected

Version 26.4-3

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat build of Keycloak 26.4.4

Default Statusunaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.176

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://access.redhat.com/security/cve/CVE-2025-12110

https://bugzilla.redhat.com/show_bug.cgi?id=2406033

https://access.redhat.com/errata/RHSA-2025:21370

https://access.redhat.com/errata/RHSA-2025:21371

https://access.redhat.com/errata/RHSA-2025:22089

https://access.redhat.com/errata/RHSA-2025:22088

https://github.com/keycloak/keycloak/pull/43790

https://nvd.nist.gov/vuln/detail/CVE-2025-12110

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-12110

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-12110

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-12110