Description

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

INFO

Published Date :

2025-10-23T14:09:31.901Z

Last Modified :

2026-01-20T21:16:58.585Z

Source :

redhat
AFFECTED PRODUCTS

The following products are affected by CVE-2025-11429 vulnerability.

Vendors Products
Redhat
  • Build Keycloak
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-11429.

URL Resource
https://access.redhat.com/errata/RHSA-2025:22088 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:22089 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2025-11429 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2402148 cve-icon cve-icon
https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d cve-icon cve-icon
https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b cve-icon cve-icon
https://github.com/keycloak/keycloak/issues/43328 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-11429 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-11429 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact