Home

Description

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.

PUBLISHED Reserved 2025-10-28 | Published 2025-10-28 | Updated 2025-10-28 | Assigner redhat




MEDIUM: 6.0CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Problem types

Session Fixation

Product status

Default status
affected

Timeline

2025-10-28:Reported to Red Hat.
2025-10-28:Made public.

Credits

Red Hat would like to thank Simon Levermann (CTS EVENTIM Solutions GmbH) for reporting this issue.

References

access.redhat.com/security/cve/CVE-2025-12390 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2406793 (RHBZ#2406793) issue-tracking

cve.org (CVE-2025-12390)

nvd.nist.gov (CVE-2025-12390)

Download JSON