CVE-2025-11429

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

Published: Oct 23, 2025
Updated: Oct 24, 2025
CVE: CVE-2025-11429
GHSA: GHSA-64w3-5q9m-68xf
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWEs:

CWE-613

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
org.keycloak / keycloak-services	-	26.4.1

https://access.redhat.com/security/cve/CVE-2025-11429
https://bugzilla.redhat.com/show_bug.cgi?id=2402148
https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d
https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b
https://github.com/keycloak/keycloak/issues/43328

Vulnerability Database

CVE-2025-11429

Deep Security Visibility Without the Complexity