A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.
rhbk/keycloak Red Hat / RHEL
Fixed in: rhel9@sha256:9993b5ca357dd6bfdcaf6ca207dc2640686e9dc3a1383504ec35ece20336d55c_ppc64le RHSA-2025:21371 Fixed in: rhel9-operator@sha256:cec95b5c4ee797c24b1e1b7b4153aa739b706ad4421fd1d2dfd3eea27e314e1f_ppc64le RHSA-2025:21371 Fixed in: rhel9@sha256:670c505d4614d99916a958daaf432f8bbac8584e3be95e7b79b6be49833d8213_arm64 RHSA-2025:21371 Fixed in: rhel9-operator@sha256:30a472b0c9cfa3f9d60942d45f7eb5ef9ef2a4e80665bcf0d179727c6404d792_arm64 RHSA-2025:21371 Fixed in: rhel9@sha256:3cbef8b1d1a0794f5f5f13630f4db9c210f21a8949329d33ee8873a33a48f1dd_amd64 RHSA-2025:21371 Fixed in: operator-bundle@sha256:50577bde141dae173b700c21f83b2bf66b0f7a32b76b4b75e43cc4da249f3dad_amd64 RHSA-2025:21371 Fixed in: rhel9-operator@sha256:e1c3d0ef47ab51ce48553dcb6be4a6db8ac7dd8ba82e9ec15e97cd753aeaa9eb_amd64 RHSA-2025:21371 Fixed in: rhel9@sha256:175daaf28bfa2e07cdf5a337bdf247de519c03c7df4a17367f8f1e5f40a469ea_s390x RHSA-2025:21371 Fixed in: rhel9-operator@sha256:30abecc1365b4f510403ff4bc244de1a9735e02f8b9a665fc77f2aec2ee5a025_s390x RHSA-2025:21371 Fixed in: rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64 RHSA-2025:22088 Fixed in: operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64 RHSA-2025:22088 Fixed in: rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64 RHSA-2025:22088 Fixed in: rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le RHSA-2025:22088 Fixed in: rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le RHSA-2025:22088 Fixed in: rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x RHSA-2025:22088 Fixed in: rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x RHSA-2025:22088 Fixed in: rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64 RHSA-2025:22088 Fixed in: rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64 RHSA-2025:22088 rhbk/keycloak Rocky
Fixed in: rhel9@sha256:9993b5ca357dd6bfdcaf6ca207dc2640686e9dc3a1383504ec35ece20336d55c_ppc64le RHSA-2025:21371 Fixed in: rhel9-operator@sha256:cec95b5c4ee797c24b1e1b7b4153aa739b706ad4421fd1d2dfd3eea27e314e1f_ppc64le RHSA-2025:21371 Fixed in: rhel9@sha256:670c505d4614d99916a958daaf432f8bbac8584e3be95e7b79b6be49833d8213_arm64 RHSA-2025:21371 Fixed in: rhel9-operator@sha256:30a472b0c9cfa3f9d60942d45f7eb5ef9ef2a4e80665bcf0d179727c6404d792_arm64 RHSA-2025:21371 Fixed in: rhel9@sha256:3cbef8b1d1a0794f5f5f13630f4db9c210f21a8949329d33ee8873a33a48f1dd_amd64 RHSA-2025:21371 Fixed in: operator-bundle@sha256:50577bde141dae173b700c21f83b2bf66b0f7a32b76b4b75e43cc4da249f3dad_amd64 RHSA-2025:21371 Fixed in: rhel9-operator@sha256:e1c3d0ef47ab51ce48553dcb6be4a6db8ac7dd8ba82e9ec15e97cd753aeaa9eb_amd64 RHSA-2025:21371 Fixed in: rhel9@sha256:175daaf28bfa2e07cdf5a337bdf247de519c03c7df4a17367f8f1e5f40a469ea_s390x RHSA-2025:21371 Fixed in: rhel9-operator@sha256:30abecc1365b4f510403ff4bc244de1a9735e02f8b9a665fc77f2aec2ee5a025_s390x RHSA-2025:21371 Fixed in: rhel9@sha256:527c210541d8669a7b08029be54f411512f14fe887d92569801e8801f8c001f5_amd64 RHSA-2025:22088 Fixed in: operator-bundle@sha256:dbebd9c370278ca9745863823ea05be8026400f70ada7650d65ef381841bfc5b_amd64 RHSA-2025:22088 Fixed in: rhel9-operator@sha256:b9525ea17de357c938972cc8c6cf78ba1fc1902901e1759908e9fcb2c0e72aed_amd64 RHSA-2025:22088 Fixed in: rhel9@sha256:8c52f172dd64c5d4a4078a3d9af16612151607332eea832c6ded4600d71c68ca_ppc64le RHSA-2025:22088 Fixed in: rhel9-operator@sha256:d7602888e037d4d5bba73f896e4537721130464ef82406c31a445701f015f93b_ppc64le RHSA-2025:22088 Fixed in: rhel9@sha256:31618f217a7d9a08945106f507dd0ca02b3850d183c4915311203423204a4c03_s390x RHSA-2025:22088 Fixed in: rhel9-operator@sha256:56c72c8a7c8fc6dc429272f50d1ca7d2c1f3c20819f86c314ecd16df7067f348_s390x RHSA-2025:22088 Fixed in: rhel9@sha256:c9da93981df5435ded6a22b5a36876c4a10f66ebc4d4f91fdd9e2084e6b60a2f_arm64 RHSA-2025:22088 Fixed in: rhel9-operator@sha256:57d64e64c4b64a802faf366d4e156d01b04c2fbb3d866b123ac4c2f82968a46f_arm64 RHSA-2025:22088 Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.
Exploitability
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction Required
Scope Unchanged
Impact
Confidentiality High
Integrity High
Availability None
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
0.13% probability of exploitation in 30 days
3rd percentile
Low risk: more likely to be exploited than 3% of all known CVEs.
Other CWE-384 vulnerabilities, ordered by exploit likelihood. View all
Embed a live status badge for CVE-2025-12390 Markdown
[](https://tridentstack.com/cve/CVE-2025-12390)HTML
<a href="https://tridentstack.com/cve/CVE-2025-12390"><img src="https://tridentstack.com/cve/badge/CVE-2025-12390.svg" alt="CVE-2025-12390"></a>Find and fix vulnerabilities across your fleet TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start free This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-12-19.