CVE-2025-12110 is a vulnerability identified in the Red Hat build of Keycloak version 26.2, related to insufficient session expiration controls. Keycloak is an open-source identity and access management solution widely used for single sign-on and token-based authentication. The vulnerability arises because offline sessions remain valid even after the offline_access scope is removed from the client configuration. Normally, removing this scope should invalidate offline sessions and prevent refresh tokens from being accepted. However, due to this flaw, refresh tokens continue to be accepted, allowing an attacker or unauthorized user to request new access tokens indefinitely for the same session. This undermines the administrator's intent to revoke offline access, potentially leading to prolonged unauthorized access to protected resources. The CVSS score of 5.4 (medium severity) reflects that the vulnerability requires network access and low privileges but no user interaction, and impacts confidentiality and integrity without affecting availability. There are no known exploits in the wild yet, and no patches were linked at the time of publication, indicating that organizations must be vigilant and proactive. The flaw could be exploited by an attacker who has obtained a refresh token prior to scope removal, allowing continued token refresh and access beyond the intended session lifetime. This vulnerability highlights the importance of robust session and token lifecycle management in identity platforms.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of sensitive data and systems protected by Keycloak authentication. Attackers or malicious insiders with access to refresh tokens could maintain unauthorized access even after administrators attempt to revoke offline access, potentially leading to data breaches, privilege escalation, or lateral movement within networks. Organizations relying on Keycloak for critical applications, especially those handling personal data under GDPR, face compliance risks if unauthorized access persists undetected. The medium severity score indicates a moderate risk, but the potential for prolonged unauthorized access without user interaction increases the threat level in environments with high-value targets. The impact is particularly significant for sectors such as finance, healthcare, government, and telecommunications, where identity management is crucial. Additionally, the lack of immediate patches means organizations must implement compensating controls to mitigate risk until updates are available.

1. Monitor and audit refresh token usage closely to detect unusual or prolonged token refresh activity that may indicate exploitation. 2. Implement strict token revocation policies and consider reducing refresh token lifetimes to limit exposure. 3. Enforce multi-factor authentication (MFA) to reduce the risk of token theft or misuse. 4. Segregate administrative functions and restrict privileges to minimize the impact of compromised tokens. 5. Stay informed on Red Hat and Keycloak vendor advisories and apply patches promptly once released. 6. Consider deploying additional session management controls such as token introspection and real-time revocation checks. 7. Educate administrators on the implications of offline_access scope changes and verify session invalidation through testing. 8. Use network segmentation and anomaly detection systems to identify suspicious authentication patterns. 9. Review and update incident response plans to include scenarios involving token misuse and session persistence. 10. If possible, temporarily disable offline_access scope or limit its use until the vulnerability is addressed.