logo

Database

Insecure session management In org.keycloak:keycloak-services

Description

Keycloak does not invalidate offline sessions when the offline_access scope is removed A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-121102. NVD-2025-121103. OSV-2025-121104. GCVE-2025-121105. access.redhat.com6. access.redhat.com7. access.redhat.com8. access.redhat.com9. ACCESS-CVE-2025-12110

References

1. https://github.com/keycloak/keycloak/pull/437902. https://github.com/keycloak/keycloak/commit/54e1c8af1e089ad33d32e0f2792610e4b8df421b3. https://github.com/keycloak/keycloak/commit/c830a27928cac4294619af7d147bdff34d4a85e74. https://bugzilla.redhat.com/show_bug.cgi?id=2406033

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.