CVE-2025-12390: A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. ...

Description

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.

Metrics

CVSS 3.1

6/10

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

EPSS Probability

0.13%

2.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-384

References

Timeline

Published: Oct 28, 2025
Last Modified: Jun 17, 2026
Status: Deferred

Frequently Asked Questions

What is CVE-2025-12390?

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.

How severe is CVE-2025-12390?

CVE-2025-12390 has a CVSS score of 6/10 (MEDIUM severity). The EPSS model estimates a 0.13% probability of exploitation in the next 30 days.

How do I fix CVE-2025-12390?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.