CVE-2025-12110 – Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client’s offline_access scope was removed

CVE ID : CVE-2025-12110

Published : Oct. 23, 2025, 2:19 p.m. | 23 minutes ago

Description : A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.

Severity: 5.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…