CVE-2025-12110 MEDIUM

CVE-2025-12110: Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed

Vendor Keycloak
Product keycloak
Weakness CWE-613 · Insufficient session expiration
Published October 23, 2025
Last update January 20, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.

Key dates

02Disclosure timeline

October 23, 2025 CVE published
January 20, 2026 Record updated