Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0076

NIXPKGS-2026-0076
published on
Permalink CVE-2025-12110
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 3 months, 1 week ago
  • @LeSuisse ignored
    4 packages
    • terraform-providers.keycloak
    • python312Packages.python-keycloak
    • python313Packages.python-keycloak
    • terraform-providers.keycloak_keycloak
    3 months, 1 week ago
  • @LeSuisse accepted 3 months, 1 week ago
  • @LeSuisse published on GitHub 3 months, 1 week ago
Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed

A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.

References

Affected products

keycloak
  • <26.4.3
keycloak-server
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
Red Hat build of Keycloak 26.2.11

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Ignored packages (4)

Package maintainers

Upstream fix: https://github.com/keycloak/keycloak/commit/e0c1f2ee0fd14ba76338d9c2c213d45d0e857450