CVE-2025-12110: 
Java vulnerability analysis and mitigation

A security vulnerability (CVE-2025-12110) was discovered in Keycloak, affecting versions prior to 26.3.0. The flaw allows offline sessions to remain valid even after the offline_access scope is removed from the client. This vulnerability was disclosed on October 23, 2025, and primarily affects the Keycloak authentication and authorization system (Miggo, NVD).

The vulnerability is classified as CWE-613 (Insufficient Session Expiration) with a CVSS v3.1 base score of 5.4 (Medium). The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating that the vulnerability can be exploited over the network, requires low attack complexity and privileges, needs no user interaction, and has a limited impact on confidentiality and integrity with no impact on availability (Miggo, NVD).

When exploited, the vulnerability allows refresh tokens to continue being accepted and new tokens to be requested for the session even after the offline_access scope has been removed. This creates a security risk where administrators may incorrectly assume that offline sessions are no longer available after removing the scope, while in reality, they remain active (Red Hat).

The vulnerability has been patched in Keycloak version 26.3.0. Organizations using affected versions should upgrade to this version or later to address the security issue (Miggo).