CVE-2025-11429

Source
https://cve.org/CVERecord?id=CVE-2025-11429
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11429.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-11429
Aliases
Downstream
Related
Published
2025-10-23T14:09:31.901Z
Modified
2026-07-16T03:47:20.716773835Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Keycloak-server: too long and not settings compliant session
Details

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

Database specific
{
    "cwe_ids": [
        "CWE-613"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/11xxx/CVE-2025-11429.json",
    "cna_assigner": "redhat"
}
References

Affected packages

Git / github.com/keycloak/keycloak

Affected ranges

Type
GIT
Repo
https://github.com/keycloak/keycloak
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "26.4.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.0-alpha-1
1.0-alpha-1-12062013
1.0-alpha-2
1.0-alpha-3
1.0-beta-1
1.0-beta-2
1.0-beta-4
1.0-final
1.0-rc-1
1.0.0.Final
1.1.0.Beta2
1.3.0.Final
2.*
2.4.0.Test

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11429.json"