Keycloak Session ID Reuse Allows Token Hijacking
CVE-2025-12390 Published on October 28, 2025
Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesnt clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.
Vulnerability Analysis
CVE-2025-12390 is exploitable with local system access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Products Associated with CVE-2025-12390
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-12390 are published in these products:
Affected Versions
keycloak:- Before 26.0.0 is affected.
- Version 26.2.11-1 and below * is unaffected.
- Version 26.2-12 and below * is unaffected.
- Version 26.2-12 and below * is unaffected.
- Version 26.4.4-1 and below * is unaffected.
- Version 26.4-3 and below * is unaffected.
- Version 26.4-3 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.