CVE-2025-12390: 
Java vulnerability analysis and mitigation

A security vulnerability (CVE-2025-12390) was discovered in Keycloak, where users can accidentally gain access to another user's session when sharing the same device and browser. The vulnerability was disclosed on October 28, 2025, affecting Keycloak's session management system. The issue stems from Keycloak's improper handling of session identifiers during logout processes, particularly when browser cookies are missing (NVD, Red Hat).

The vulnerability is classified as CWE-384 (Session Fixation) with a CVSS v3.1 base score of 6.0 (Medium). The vulnerability vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N, indicating local access, high attack complexity, low privileges required, user interaction required, unchanged scope, and high impacts on confidentiality and integrity, but no impact on availability (Red Hat).

When exploited, this vulnerability allows one user to receive tokens belonging to another user, potentially leading to unauthorized access to user sessions. The impact is particularly significant when multiple users share the same device and browser, as it can result in unintended access to another user's authenticated session (NVD).

According to Red Hat, mitigation options for this issue are either not available or do not meet their Product Security criteria for ease of use, deployment, applicability to widespread installation base, or stability (Red Hat).

Red Hat has acknowledged the vulnerability and credited Simon Levermann from CTS EVENTIM Solutions GmbH for reporting this security issue (Red Hat).