org.keycloak.protocol.oidc.endpoints.LogoutEndpoint: Offline Session takeover due to reused Authentication Session ID

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As...

Moderate: Red Hat Security Advisory: Red Hat build of Keycloak 26.4.4 Images Security Update

New images are available for Red Hat build of Keycloak 26.4.4 and Red Hat build of Keycloak 26.4.4 Operator, running on OpenShift Container Platform Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat...

keycloak: org.keycloak:keycloak-services: User can refresh offline session even after client's offline_access scope was removed

A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...

Moderate: Red Hat Security Advisory: Red Hat build of Keycloak 26.4.4 Security Update

New Red Hat build of Keycloak 26.4.4 packages are available from the Customer Portal Red Hat build of Keycloak 26.4.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security fixes...

CVE-2025-12390 Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As...

CVE-2025-12390 Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As...

CVE-2025-12390

CVE-2025-12390 affects Keycloak; it describes an offline session takeover where a user could receive another user’s tokens due to reusing session identifiers and incomplete logout cleanup when cookies are missing. Connected sources confirm this vulnerability in Keycloak and reference Red Hat advi...

CVE-2025-12110

A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...

Red Hat build of Keycloak 代码问题漏洞

Red Hat build of Keycloak is a web application for single sign-on from Red Hat, Inc. A code issue vulnerability exists in the Red Hat build of Keycloak, which stems from an offline session remaining active after removing the client's offlineaccess scope, which could lead to an administrator...

Important: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.6 security update on RHEL 8

New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...