Medium severity6.0GHSA Advisory· Published Oct 28, 2025· Updated Apr 15, 2026
CVE-2025-12390
CVE-2025-12390
Description
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | < 26.0.0 | 26.0.0 |
Affected products
31- osv-coords30 versionspkg:apk/chainguard/keycloak-26.2pkg:apk/chainguard/keycloak-26.2-compatpkg:apk/chainguard/keycloak-26.2-iamguarded-compatpkg:apk/chainguard/keycloak-26.3pkg:apk/chainguard/keycloak-26.3-compatpkg:apk/chainguard/keycloak-26.3-iamguarded-compatpkg:apk/chainguard/keycloak-26.4pkg:apk/chainguard/keycloak-26.4-compatpkg:apk/chainguard/keycloak-26.4-iamguarded-compatpkg:apk/chainguard/keycloak-26.4-operatorpkg:apk/chainguard/keycloak-26.4-operator-compatpkg:apk/chainguard/keycloak-fips-26.2pkg:apk/chainguard/keycloak-fips-26.2-iamguarded-fipspkg:apk/chainguard/keycloak-fips-26.3pkg:apk/chainguard/keycloak-fips-26.3-iamguarded-fipspkg:apk/chainguard/keycloak-fips-26.3-operatorpkg:apk/chainguard/keycloak-fips-26.3-operator-compatpkg:apk/chainguard/keycloak-fips-26.4pkg:apk/chainguard/keycloak-fips-26.4-iamguarded-fipspkg:apk/chainguard/keycloak-fips-26.4-operatorpkg:apk/chainguard/keycloak-fips-26.4-operator-compatpkg:apk/wolfi/keycloak-26.3pkg:apk/wolfi/keycloak-26.3-compatpkg:apk/wolfi/keycloak-26.3-iamguarded-compatpkg:apk/wolfi/keycloak-26.4pkg:apk/wolfi/keycloak-26.4-compatpkg:apk/wolfi/keycloak-26.4-iamguarded-compatpkg:apk/wolfi/keycloak-26.4-operatorpkg:apk/wolfi/keycloak-26.4-operator-compatpkg:maven/org.keycloak/keycloak-services
< 26.2.5-r6+ 29 more
- (no CPE)range: < 26.2.5-r6
- (no CPE)range: < 26.2.5-r6
- (no CPE)range: < 26.2.5-r6
- (no CPE)range: < 26.3.5-r3
- (no CPE)range: < 26.3.5-r3
- (no CPE)range: < 26.3.5-r3
- (no CPE)range: < 26.4.4-r0
- (no CPE)range: < 26.4.2-r2
- (no CPE)range: < 26.4.5-r0
- (no CPE)range: < 26.4.2-r2
- (no CPE)range: < 26.4.2-r2
- (no CPE)range: < 26.2.5-r8
- (no CPE)range: < 26.2.5-r8
- (no CPE)range: < 26.3.5-r4
- (no CPE)range: < 26.3.5-r4
- (no CPE)range: < 26.3.5-r4
- (no CPE)range: < 26.3.5-r4
- (no CPE)range: < 26.4.4-r0
- (no CPE)range: < 26.4.4-r0
- (no CPE)range: < 26.4.4-r0
- (no CPE)range: < 26.4.4-r1
- (no CPE)range: < 26.3.5-r3
- (no CPE)range: < 26.3.5-r3
- (no CPE)range: < 26.3.5-r3
- (no CPE)range: < 26.4.4-r0
- (no CPE)range: < 26.4.2-r2
- (no CPE)range: < 26.4.5-r0
- (no CPE)range: < 26.4.2-r2
- (no CPE)range: < 26.4.2-r2
- (no CPE)range: < 26.0.0
Patches
Vulnerability mechanics
References
14- github.com/advisories/GHSA-rg35-5v25-mqvpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-12390ghsaADVISORY
- access.redhat.com/errata/RHSA-2025:21370nvdWEB
- access.redhat.com/errata/RHSA-2025:21371nvdWEB
- access.redhat.com/errata/RHSA-2025:22088nvdWEB
- access.redhat.com/errata/RHSA-2025:22089nvdWEB
- access.redhat.com/security/cve/CVE-2025-12390nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/keycloak/keycloak/commit/5344aada5ee06b02ec3a9e0f52fa381d085b6282ghsaWEB
- github.com/keycloak/keycloak/commit/b46fab230824a2304daafe74be019e8bd4ee590aghsaWEB
- github.com/keycloak/keycloak/commit/d82438a611f2f869f1966c13012953fe963a493dghsaWEB
- github.com/keycloak/keycloak/commit/ef75a4dc50aa9459777494e4b88655100bf2ac80ghsaWEB
- github.com/keycloak/keycloak/issues/32197ghsaWEB
- github.com/keycloak/keycloak/issues/43853nvdWEB
News mentions
0No linked articles in our index yet.