VYPR
Medium severity6.0GHSA Advisory· Published Oct 28, 2025· Updated Apr 15, 2026

CVE-2025-12390

CVE-2025-12390

Description

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-servicesMaven
< 26.0.026.0.0

Affected products

31

Patches

Vulnerability mechanics

References

14

News mentions

0

No linked articles in our index yet.