Lucene search
+L

43 matches found

Github Security Blog
Github Security Blog
added 2026/07/07 8:55 p.m.19 views

Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption

Am I affected? Users are affected if all of the following are true: - Their project depends on @better-auth/oauth-provider at a version = 1.6.0, = 1.4.8-beta.7, 1.6.0. - At least one OAuth client served by their application's authorization server requests the offlineaccess scope, so refresh token...

8.1CVSS5.9AI score0.00413EPSS
Exploits0References4Affected Software2
Snyk
Snyk
added 2026/07/07 8:55 p.m.5 views

Insufficient Session Expiration

Overview @better-auth/oauth-provider is an An oauth provider plugin for Better Auth Affected versions of this package are vulnerable to Insufficient Session Expiration through the POST /oauth2/token endpoint during the refresh token granting. An attacker can gain unauthorized access by exploiting...

8.1CVSS6.1AI score0.00413EPSS
Exploits0References5
Snyk
Snyk
added 2026/07/07 8:55 p.m.6 views

Insufficient Session Expiration

Overview @better-auth/memory-adapter is a Memory adapter for Better Auth Affected versions of this package are vulnerable to Insufficient Session Expiration through the POST /oauth2/token endpoint during the refresh token granting. An attacker can gain unauthorized access by exploiting a race...

8.1CVSS6.1AI score0.00413EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.9 views

PT-2026-56301

Name of the Vulnerable Software and Affected Versions @better-auth/oauth-provider versions 1.6.0 through 1.6.10 better-auth versions 1.4.8-beta.7 through 1.5.x Description The @better-auth/oauth-provider POST /oauth2/token endpoint is susceptible to a race condition during the refresh token grant...

8.1CVSS6.1AI score0.00413EPSS
Exploits0References7
Veracode
Veracode
added 2025/12/13 4:36 a.m.12 views

Improper Session Invalidation

org.keycloak, keycloak-services is vulnerable to Improper session invalidation.The vulnerability is due to offline sessions remaining valid even after the offlineaccess scope is removed from the client, which allows an attacker with an existing offline refresh token to continue requesting new...

5.4CVSS6.6AI score0.00272EPSS
Exploits0References10Affected Software1
RedHat Linux
RedHat Linux
added 2025/11/25 4:6 p.m.6 views

keycloak: org.keycloak:keycloak-services: User can refresh offline session even after client's offline_access scope was removed

A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...

5.4CVSS5.7AI score0.00272EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2025/11/13 5:51 p.m.4 views

keycloak: org.keycloak:keycloak-services: User can refresh offline session even after client's offline_access scope was removed

A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...

5.4CVSS5.7AI score0.00272EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2025/10/23 3:30 p.m.11 views

Keycloak does not invalidate offline sessions when the offline_access scope is removed

A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...

5.4CVSS6.5AI score0.00272EPSS
Exploits0References11Affected Software1
EUVD
EUVD
added 2025/10/23 3:30 p.m.8 views

EUVD-2025-35690

Keycloak does not invalidate offline sessions when the offlineaccess scope is removed...

5.4CVSS6.4AI score0.00272EPSS
Exploits0References4
Snyk
Snyk
added 2025/10/23 3:30 p.m.3 views

Insufficient Session Expiration

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Session Expiration due to the offline session of a user not being invalidated when the...

5.4CVSS6.7AI score0.00272EPSS
Exploits0References2
NVD
NVD
added 2025/10/23 3:15 p.m.10 views

CVE-2025-12110

A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...

5.4CVSS0.00272EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2025/10/23 2:19 p.m.2 views

CVE-2025-12110 Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed

A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...

5.4CVSS6.1AI score0.00272EPSS
Exploits0References7
Cvelist
Cvelist
added 2025/10/23 2:19 p.m.12 views

CVE-2025-12110 Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed

A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...

5.4CVSS0.00272EPSS
Exploits0References7
CVE
CVE
added 2025/10/23 2:19 p.m.31 views

CVE-2025-12110

The CVE-2025-12110 issue affects Keycloak: when the offline_access scope is removed from a client, an offline session remains valid and the refresh token can still request new tokens, allowing continued access. This is documented across multiple sources (GHSA, OSV, Red Hat advisories) and is high...

5.4CVSS6.1AI score0.00272EPSS
Exploits0References7
OSV
OSV
added 2025/10/23 2:19 p.m.6 views

CVE-2025-12110 Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed

A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...

5.4CVSS6AI score0.00272EPSS
Exploits0References12
RedhatCVE
RedhatCVE
added 2025/10/23 2:19 p.m.6 views

CVE-2025-12110

A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...

5.4CVSS6AI score0.00272EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2025/10/23 12:0 a.m.6 views

PT-2025-43517

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in Keycloak where an offline session remains valid even after the offline access scope is removed from the client. The refresh token continues to be accepted, allowing for the...

5.4CVSS6.2AI score0.00272EPSS
Exploits0References21
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2025-19217

Malicious code in bioql PyPI...

5.2CVSS6.5AI score0.00202EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.20 views

EUVD-2022-7575

Malicious code in bioql PyPI...

6.8CVSS6.2AI score0.00952EPSS
Exploits0References15
NVD
NVD
added 2025/06/26 6:15 p.m.5 views

CVE-2025-53013

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. A vulnerability present in versions 0.9.10 through 0.9.16 allows a user to authenticate to a Linux host via Himmelblau using an invalid Linux Hello PIN, provided the host is offline. While the user gains access to th...

5.2CVSS0.00202EPSS
Exploits0References5
Rows per page
Query Builder