CVE-2025-12390: 
Java vulnerability analysis and mitigation

A flaw was found in Keycloak (CVE-2025-12390) where a user can accidentally get access to another user's session if both use the same device and browser. This vulnerability was discovered and disclosed on October 28, 2025, affecting Keycloak versions <= 26.4.2. The issue stems from Keycloak's improper handling of session identifiers during logout operations, particularly when browser cookies are missing (NVD, Miggo).

The vulnerability is classified as CWE-384 (Session Fixation) with a CVSS v3.1 base score of 6.0 (Medium). The CVSS vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, indicating local access, high attack complexity, low privileges required, user interaction required, and potential for high confidentiality and integrity impact. The vulnerability is specifically located in the org.keycloak.protocol.oidc.endpoints.LogoutEndpoint component, where session identifiers are improperly managed during the logout process (Red Hat).

When exploited, this vulnerability can lead to unauthorized access to user sessions. One user may receive tokens that belong to another user, potentially compromising the confidentiality and integrity of user sessions. This is particularly concerning in environments where multiple users share the same device and browser (NVD).

As of the current date, there is no official patch available for this vulnerability. The issue affects Keycloak versions <= 26.4.2, and users are advised to monitor for updates from Red Hat for a security fix (Red Hat).