CVE-2025-12390

🗓️ 28 Oct 2025 13:23:34Reported by redhatType

Keycloak logout may reveal another user's session due to reused session IDs and cookie cleanup failure.

Reporter	Title	Published	Views	Family All 25
Chainguard	CVE-2025-12390 vulnerabilities	7 Jan 202601:30	–	cgr
Circl	CVE-2025-12390	28 Oct 202513:51	–	circl
CNNVD	Red Hat build of Keycloak 授权问题漏洞	28 Oct 202500:00	–	cnnvd
Cvelist	CVE-2025-12390 Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id	28 Oct 202513:23	–	cvelist
EUVD	EUVD-2025-36502	28 Oct 202515:30	–	euvd
Github Security Blog	Keycloak vulnerable to session takeovers due to reuse of session identifiers	28 Oct 202515:30	–	github
NVD	CVE-2025-12390	28 Oct 202514:15	–	nvd
OSV	CGA-M6JM-QXW7-GC4W	29 Jan 202600:47	–	osv
OSV	CVE-2025-12390	28 Oct 202514:15	–	osv
OSV	GHSA-RG35-5V25-MQVP Keycloak vulnerable to session takeovers due to reuse of session identifiers	28 Oct 202515:30	–	osv

Vulners

Node

keycloak keycloakRange≤0

[
  {
    "vendor": "Keycloak",
    "product": "keycloak",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "26.0.0",
        "versionType": "semver"
      }
    ],
    "packageName": "keycloak",
    "collectionURL": "https://github.com/keycloak/keycloak",
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26.2",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-operator-bundle",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "26.2.11-1",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26.2::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26.2",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "26.2-12",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26.2::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26.2",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-rhel9-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "26.2-12",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26.2::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26.2.11",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26.2::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26.4",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-operator-bundle",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "26.4.4-1",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26.4::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26.4",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "26.4-3",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26.4::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26.4",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rhbk/keycloak-rhel9-operator",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "26.4-3",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26.4::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Keycloak 26.4.4",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "unaffected",
    "packageName": "keycloak",
    "cpes": [
      "cpe:/a:redhat:build_keycloak:26.4::el9"
    ]
  }
]

Source	Link
github	www.github.com/keycloak/keycloak/issues/43853
access	www.access.redhat.com/errata/RHSA-2025:21370
access	www.access.redhat.com/errata/RHSA-2025:22088
access	www.access.redhat.com/errata/RHSA-2025:21371
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
access	www.access.redhat.com/errata/RHSA-2025:22089
access	www.access.redhat.com/security/cve/CVE-2025-12390

15 Apr 2026 00:35Current

6.1Medium risk

Vulners AI Score6.1

CVSS 3.16

EPSS0.00017

SSVC

CWE-384