5 matches found
keycloak: org.keycloak:keycloak-services: User can refresh offline session even after client's offline_access scope was removed
A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...
keycloak: org.keycloak:keycloak-services: User can refresh offline session even after client's offline_access scope was removed
A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...
CVE-2025-12110
A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...
CVE-2025-12110 Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed
A flaw was found in Keycloak. An offline session continues to be valid when the offlineaccess scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and...
CVE-2025-12110
The CVE-2025-12110 issue affects Keycloak: when the offline_access scope is removed from a client, an offline session remains valid and the refresh token can still request new tokens, allowing continued access. This is documented across multiple sources (GHSA, OSV, Red Hat advisories) and is high...