CVE-2025-12390 identifies a session fixation vulnerability in the Red Hat build of Keycloak version 26.2. The issue arises because Keycloak sometimes reuses session identifiers and fails to properly clean up session data during logout when browser cookies are missing. This flaw allows a scenario where two users sharing the same device and browser environment can have their sessions interchanged, leading to one user inadvertently gaining access to another user's session tokens. The root cause is improper session invalidation and reuse of session IDs, which violates secure session management principles. Exploitation requires that both users use the same device/browser, and that cookies are missing or deleted, which is a relatively uncommon but plausible scenario in shared or public workstation environments. The vulnerability impacts confidentiality and integrity by exposing sensitive authentication tokens and potentially allowing unauthorized access to user accounts. The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N) indicates that the attack requires local access, high attack complexity, low privileges, and user interaction, with no impact on availability. No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly. The flaw is specific to Red Hat's build of Keycloak 26.2, a widely used open-source identity and access management solution, often deployed in enterprise environments for authentication and authorization services.

For European organizations, the vulnerability poses a risk primarily to confidentiality and integrity of user sessions, potentially leading to unauthorized access to sensitive applications and data. Organizations that deploy Keycloak 26.2 in environments where devices are shared among multiple users—such as call centers, public kiosks, or shared office workstations—are at higher risk. Attackers with local access could exploit this flaw to hijack sessions, leading to data breaches, privilege escalation, and unauthorized actions within protected systems. The impact is mitigated by the requirement for local access and user interaction, but the risk remains significant in environments with shared devices or insufficient endpoint security. Additionally, sectors with strict compliance requirements (e.g., finance, healthcare, government) may face regulatory consequences if session hijacking leads to data exposure. The lack of availability impact means service disruption is unlikely, but trust and security posture could be compromised.

Organizations should immediately upgrade to a patched version of Red Hat Keycloak once available. In the interim, administrators should enforce strict session management policies, including ensuring that session identifiers are unique per login and properly invalidated on logout. Implementing browser cookie management policies to prevent cookie deletion or manipulation can reduce risk. Deploy endpoint security controls to restrict unauthorized local access and monitor for unusual session activity. Consider configuring Keycloak to enforce multi-factor authentication (MFA) to reduce the impact of session hijacking. Educate users about the risks of shared device usage and encourage logging out properly and avoiding shared browsers. Network segmentation and access controls can limit exposure of Keycloak instances to trusted users only. Regularly audit session logs for anomalies and integrate with SIEM solutions for real-time alerting on suspicious session behavior.