NIXPKGS-2026-0076

GitHub issue published on 21 Jan 2026

Permalink CVE-2025-12110

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse removed
4 packages
- terraform-providers.keycloak
- python312Packages.python-keycloak
- python313Packages.python-keycloak
- terraform-providers.keycloak_keycloak
1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed

A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.

Affected products

keycloak

<26.4.3

keycloak-server

rhbk/keycloak-rhel9

rhbk/keycloak-rhel9-operator

rhbk/keycloak-operator-bundle

Red Hat build of Keycloak 26.2.11

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

nixos-unstable 26.4.5
- nixpkgs-unstable 26.4.5
- nixos-unstable-small 26.4.5

Package maintainers

@leona-ya Leona Maroni <nix@leona.is>
@NickCao Nick Cao <nickcao@nichi.co>
@ngerstle Nicholas Gerstle <ngerstle@gmail.com>
@talyz Kim Lindberger <kim.lindberger@gmail.com>

Upstream fix: https://github.com/keycloak/keycloak/commit/e0c1f2ee0fd14ba76338d9c2c213d45d0e857450

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0076

Affected products

Matching in nixpkgs

pkgs.keycloak

Package maintainers