Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-11429

Good to know:

icon
icon

Date: October 23, 2025

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

Severity Score

Related Resources (10)

https://bugzilla.redhat.com/show_bug.cgi?id=2402148
https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b
https://access.redhat.com/security/cve/CVE-2025-11429
https://github.com/keycloak/keycloak/issues/43328
https://access.redhat.com/errata/RHSA-2025:22088
https://github.com/keycloak/keycloak
https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d
https://nvd.nist.gov/vuln/detail/CVE-2025-11429
https://access.redhat.com/errata/RHSA-2025:22089
https://www.mend.io/vulnerability-database/CVE-2025-11429

Severity Score

Weakness Type (CWE)

Insufficient Session Expiration

CWE-613

Top Fix

icon

Upgrade Version

Upgrade to version org.keycloak:keycloak-services:26.4.1;https://github.com/keycloak/keycloak.git - 26.4.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us