CVE-2025-12390: Keycloak vulnerable to session takeovers due to reuse of session identifiers

October 28, 2025 (updated October 29, 2025)

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user’s session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.

References

access.redhat.com/security/cve/CVE-2025-12390
bugzilla.redhat.com/show_bug.cgi?id=2406793
github.com/advisories/GHSA-rg35-5v25-mqvp
github.com/keycloak/keycloak
nvd.nist.gov/vuln/detail/CVE-2025-12390

Code Behaviors & Features

Detect and mitigate CVE-2025-12390 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →