Keycloak Offline Session Persistence when Offline_Access scope removed
CVE-2025-12110 Published on October 23, 2025
Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.
Vulnerability Analysis
CVE-2025-12110 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Products Associated with CVE-2025-12110
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-12110 are published in these products:
Affected Versions
keycloak:- Before 26.4.3 is affected.
- Version 26.2.11-1 and below * is unaffected.
- Version 26.2-12 and below * is unaffected.
- Version 26.2-12 and below * is unaffected.
- Version 26.4.4-1 and below * is unaffected.
- Version 26.4-3 and below * is unaffected.
- Version 26.4-3 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.