CVE-2025-11429

MEDIUM

Keycloak - Logic Flaw

Title source: llm

Description

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

References (7)

[Patch] https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d

[Patch] https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b

View Patch ZIP pw:eip

[Issue Tracking] https://github.com/keycloak/keycloak/issues/43328

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:22088

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:22089

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2025-11429

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2402148

Scores

CVSS v3 5.4

EPSS 0.0011

EPSS Percentile 29.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-613

Status published

Products (5)

Keycloak/keycloak < 26.4.1

org.keycloak/keycloak-services 26.3.0 - 26.4.1Maven

Red Hat/Red Hat build of Keycloak 26.2 26.2-12

Red Hat/Red Hat build of Keycloak 26.2 26.2.11-1

Red Hat/Red Hat build of Keycloak 26.2.11

Published Oct 23, 2025

Tracked Since Feb 18, 2026