CVE-2025-12110 identifies a vulnerability in the Red Hat Build of Keycloak, an open-source identity and access management solution widely used for authentication and authorization. The flaw arises from insufficient session expiration controls related to offline sessions. Specifically, when an administrator removes the offline_access scope from a client—intending to disable offline sessions—the system erroneously continues to accept refresh tokens associated with those offline sessions. This means that even after scope removal, an attacker or user with a valid refresh token can continue to request new access tokens, effectively maintaining session persistence beyond the intended expiration. The vulnerability impacts the confidentiality and integrity of user sessions by allowing unauthorized token renewal. Exploitation requires network access and privileges to interact with the authentication system but does not require user interaction. The vulnerability does not affect availability directly. The CVSS 3.1 base score is 5.4 (medium), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and partial impact on confidentiality and integrity. No known exploits have been reported in the wild, and no patches or mitigations are currently linked, indicating the need for vigilance and proactive controls. This vulnerability highlights a critical gap in session management logic, particularly around offline token revocation and scope enforcement.

For European organizations, this vulnerability could lead to prolonged unauthorized access to critical systems and data if offline sessions are not properly invalidated. Organizations relying on Keycloak for identity management in sectors such as finance, healthcare, government, and critical infrastructure may face risks of data leakage or privilege escalation due to continued token acceptance. The flaw undermines administrators' ability to enforce session expiration policies, potentially allowing attackers or insiders to maintain access after scope removal. This could facilitate lateral movement, data exfiltration, or unauthorized administrative actions. Although the vulnerability does not directly impact system availability, the compromise of session integrity and confidentiality can have severe operational and reputational consequences. The medium severity score suggests a moderate risk, but the actual impact depends on the deployment context and the sensitivity of protected resources. European GDPR regulations also impose strict requirements on access control and data protection, increasing the compliance risk if such vulnerabilities are exploited.

European organizations should implement several specific mitigations beyond generic advice: 1) Monitor and audit refresh token usage closely to detect anomalous token renewal activity, especially after scope changes. 2) Enforce strict token revocation policies by implementing custom logic or using Keycloak extensions to invalidate offline sessions immediately upon scope removal. 3) Limit the issuance of offline_access scopes to only essential clients and users, minimizing the attack surface. 4) Regularly review and update Keycloak configurations to ensure session lifetimes and refresh token policies align with security requirements. 5) Apply any patches or updates from Red Hat promptly once available. 6) Consider deploying additional compensating controls such as multi-factor authentication and anomaly detection on authentication flows. 7) Educate administrators on the implications of scope changes and the necessity of manual session invalidation until a fix is released. 8) Use network segmentation and access controls to restrict who can interact with Keycloak endpoints. These targeted actions will help reduce the risk of unauthorized session persistence and improve overall identity security posture.